Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Show

NCUA’s Current SORNs

NCUA-1

System Name: Personnel Access and Security System (PASS)

System Location: Office of Continuity and Security Management, National Credit Union Administration, 1775 Duke Street, Alexandria, VA. 22314.

Authority for Maintenance of the System: Government Organization and Employees (5 U.S.C. 301); 5 U.S.C. Chapter 73 (Suitability, Security, and Conduct); 5 U.S.C. 7531-33 (National Security); Federal Information Security Management Act of 2002 (44 U.S.C. 3541); E-Government Act of 2002 (44 U.S.C. 101); Paperwork Reduction Act of 1995 (44 U.S.C. 3501); Executive Order 10450 (Security requirements for government employment); Executive Order 13526 and its predecessor orders (National Security Information); Executive Order 12968 (Access to Classified Information); Executive Order 13857 (Security of Classified Networks and Information); Homeland Security Presidential Directive 12 (HSPD-12), August 27, 2004); 12 U.S.C § 1785 and NCUA Rules and Regulations 701.14; Section 212 of the Federal Credit Union Act (12 U.S.C § 1790a).

Purpose(s): The collected information enables NCUA OCSM to identify and review allegations of misconduct or negligence in employment and other security information relevant to making HSPD-12 PIV card issuance determinations, and personnel suitability, fitness, and/or national security determinations. It also improves the handling of sensitive personal information and facilitates NCUA’s ability to identify potential insider threats or potential systemic security concerns.

Categories of Individuals Covered by the System: The system will collect and maintain information on individuals who require short- or long-term access as required by their position to NCUA-controlled facilities and information technology systems, including NCUA employees, appointees, interns, contractors, students, volunteers, and other non-federal employees either presently or formerly in any of these positions; applicants for NCUA employment or for work on NCUA contracts; applicants, appointees, employees, interns or contractors for whom an Office of Personnel Management (OPM) suitability, fitness or national security clearance investigation has been initiated and/or conducted; officials from troubled or newly chartered credit unions; visitors to NCUA facilities and their security clearance information; foreign national visitors.

Categories of Records in the System: Incident and investigative material relating to any category of individual described above, including case files containing information such as full name, date of birth, gender, photograph, social security number, place of birth, citizenship; work and home telephone numbers and addresses; identification documentation (such as passports, work visas, driver’s licenses); security screening information (such as resume, employer address, applications for employment, fingerprints, credit checks); legal case pleadings and files; employment information (NCUA employment status, former employment letters of reference, former employment letters of termination or resignation); information obtained during security inquires (such as letters of inquiry; other agency database checks and reports; suspicious activity reports and notifications from other agencies and employees; network audit records, email, chat conversations, text messages sent using NCUA devices; social media account findings for individuals undergoing security investigations); self-reported security-related information (such as foreign travel notifications, changes in financial status, changes in marital status, arrests); security violation files; security evaluations and clearances; NCUA security screening status (permanent or provisional); personnel identity verification (PIV) information (such as card status, PIV card number, PIN number).

For visitors, information collected can include names, date of birth, citizenship, identification type, temporary pass number, host name, office symbol, room number, telephone number.

Record Source Categories: Information is provided by the individual to whom the record pertains; references supplied by the individual such as current and/or former employers and associates; public records such as court documents, news media, social media and other publications; intra-agency records; and investigative and other record material compiled in the course of investigation or furnished by other government agencies.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: NCUA OCSM uses these records to document the outcome of adjudicative determinations for the issuance of the HSPD-12 PIV card or the local agency access badge, and to document the outcome of adjudicative determinations for suitability, fitness, and/or national security clearances. Contact information is used for communication and authentication purposes. In addition with those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of records in this system may be disclosed to authorized federal or state entities as it is determined to be relevant and necessary.

Policies and Practice for Storage of Records: Records are stored electronically and physically.

Policies and Practice for Retrievability of Records: Records are retrieved by individual identifiers such as name, social security number, or an individual identifier with non-individually identifiable information.

Policies and Practice for Retention and Disposal of Records: Records are maintained until they become inactive. Records become inactive when they are no longer useful for their collected purpose. Records are disposed in accordance with NCUA record retention schedules and consistent with destruction methods appropriate to the type of information.

Physical, Procedural, and Administrative Safeguards: Information in the system is safeguarded in accordance with the applicable laws, rules and policies governing the operation of federal information systems. Access to privacy-related information within the system is password protected and restricted to authorized personnel. Physical records in paper format are safeguarded in accordance with the applicable laws, rules and policies governing privacy-related information. All records in paper format are stored under the requisite double-lock. Access to privacy-related information in paper format is restricted to authorized personnel.

System Manager(s): Deputy Director, Office of Continuity and Security Management, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.

Record Access Procedures: Upon verification that an individual has a record in the system, as determined by the notification procedure below, the system manager will provide the procedure for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be submitted in writing to the system manager listed above in accordance with NCUA regulations at 12 CFR Part 792, Subpart E. Requesters must reasonably identify the record, specify the information being contested, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete.

Notification Procedure: An individual can determine if this system contains a record pertaining to the individual by addressing a request in writing to the system manager listed above in accordance with NCUA regulations at 12 CFR Part 792, Subpart E. The individual must provide his/her full name and identify the date he/she was associated with NCUA as well as contact information for a response. If there is no record on the individual, the individual will be so advised.

Exemptions Promulgated for the System: In addition to any exemption to which this system is subject by Notices published by or regulations promulgated by OPM or the Director of National Intelligence, the system is subject to a specific exemption pursuant to 5 U.S.C. 552a (k)(5) to the extent that disclosures would reveal a source who furnished information under an express promise of confidentiality.

NCUA-2

System Name: Grievance Records.

System Location: Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Categories of Individuals Covered by the System: Current or former Federal employees who have submitted grievances with NCUA in accordance with part 771 of the OPM's regulations. These case files contain all documents related to the grievance, including statements of witnesses, reports of interviews and hearings, examiners' findings and recommendations, a copy of the original and final decision with related correspondence and exhibits.

Authority for Maintenance of the System: 5 U.S.C. 1302, 3301, and 3302, E.O. 10577, 3 CFR 1954-1958 Comp., p. 218; E.O. 10987; 3 CFR 1959-1963 Comp., p. 519.

Purpose: The information in this system is used in the Agency’s formal grievance process.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. Information is used by the appropriate Federal, State, or local agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order where the disclosing agency becomes aware of an indication of a violation or potential violation of civil or criminal law or regulations.
  2. Information is used by any source from which additional information is requested in the course of processing a grievance to the extent necessary to identify the individual, inform the source of the purpose(s) of the request, and identify the type of information requested.
  3. Information is used by a Federal agency in response to its request in connection with the hiring or retention of an employee, the issuance of a security clearance, the conducting of a security or suitability investigation of an individual, the classifying of jobs, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.
  4. Information is used by the congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of that individual.
  5. Information is used by another Federal agency or by a court when the government is party to a judicial proceeding before the court.
  6. Information is used by the National Archives and Records Administration (General Services Administration) in records management inspections conducted under authority of 44 U.S.C. 2904 and 2906.
  7. Information is used by NCUA in the production of summary descriptive statistics and analytical studies in support of the function for which the records are collected and maintained, or for related work force studies. While published statistics and studies do not contain individual identifiers, in some instances, the selection of elements of data included in the study may be structured in such a way as to make the data individually identifiable by inference.
  8. Information is used by officials of the Office of Personnel Management, the Merit Systems Protection Board, including the Office of the Special Counsel, the Federal Labor Relations Authority and its General Counsel, or the Equal Employment Opportunity Commission when requested in performance of their authorized duties.
  9. Information (that is relevant to the subject matter involved in a pending judicial or administrative proceeding) is used to respond to a request for discovery or for appearance of a witness.
  10. Information is used by officials of labor organizations reorganized under the Civil Service Reform Act when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting work conditions.
  11. Standard routine uses as set forth in appendix A.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage: Records are maintained in file folders.

Retrievability: Records are retrievable by the names of the individuals on whom they are maintained.

Safeguards: Records are maintained in lockable metal filing cabinets to which only authorized personnel have access.

Retention and Disposal: Records are disposed of three (3) years after closing of the case. Disposal is by shredding or burning.

System Manager(s) and Address: Director, Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Request to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: Individual on whom the record is maintained; testimony of witness; agency officials; related correspondence from organization or persons.

NCUA-3

System Name: Payroll Records System

System Location: Office of the Chief Financial Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314. NCUA also has an interagency agreement with the General Services Administration, Region VI, Kansas City, Missouri to provide and maintain payroll and related services and systems involving NCUA employees. For administrative purposes, supporting documents in hard copy form may exist within NCUA at the duty station of each employee.

Categories of Individuals Covered by the System: Employees of NCUA.

Categories of Records in the System: Salary and related payroll data, including time and attendance information.

Authority for Maintenance of the System: 5 U.S.C. 703; 44 U.S.C. 3301.

Purpose: This system documents time and attendance and ensures that employees receive proper compensation and that NCUA’s financial reports properly reflect employee salary and benefit payments. It is also used to allow the agency to budget employee pay and benefits.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. Information is used to ensure proper compensation to all NCUA employees and to formulate financial reports and plans used within the agency, or is sent to the General Services Administration (GSA).
  2. Information is used to document time worked and provide a record of attendance to support payment of salaries and use of annual, sick, and nonpaid leave.
  3. Users of the time and attendance information include the employee's supervisor, the office's timekeeper, the payroll officer, staff involved in the budget process, accountants responsible for the proper recording of payroll results, and the GSA National Payroll Center in Kansas City, Missouri.
  4. Further information in this system is used to make reports to state and local taxing authorities.
  5. The names, social security numbers, home addresses, dates of birth, dates of hire, quarterly earnings, employer identifying information, and State of hire of employees may be disclosed to the Office of Child Support Enforcement, Administration for Children and Families, Department of Health and Human Services for the purpose of locating individuals to establish paternity, establish or modify orders of child support, identify sources of income and for other child support enforcement actions as required by the Personal Responsibility and Work Opportunity Reconciliation Act (Welfare Reform Law, Pub. L. 104-193).
  6. Standard routine uses as set forth in appendix A.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage: Records are maintained in electronic media or in paper format.

Retrievability: Records are retrieved by name or social security number.

Safeguards: Records are maintained in secured offices, accessible by written authorization only.

Retention and Disposal: Records are retained and disposed of in accordance with GSA policy.

System Manager(s) and Address: Primary: Payroll Officer, Office of the Chief Financial Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Secondary: Office Timekeepers, National Credit Union Administration, Central Office (1775 Duke Street, Alexandria, Virginia 22314) and Regional Offices (see appendix B for Regional Offices' addresses).

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: Information is primarily obtained from the individual whom the record concerns, the Office of Personnel Management, and the GSA. Also, time and attendance information is prepared and submitted by the timekeeper in a given employee's office.

NCUA-4

System Name: Travel Advance and Voucher Information System.

System Location: Office of the Chief Financial Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Categories of Individuals Covered by the System: All NCUA employees who have traveled or relocated in the course of performing their duty and who have been reimbursed for the expense of such travel.

Categories of Records in the System: This system contains information from the following forms: Travel Vouchers (NCUA 1012), Relocation Travel Order (NCUA 1617) Application for Travel Advance (NCUA 1371), and Travel Voucher Cover Sheet (NCUA 1364), Agreement to Remain in Federal Service (NCUA 1030), Statement of Difference (NCUA 1310), Repayment of Travel Advance (NCUA 1372), Direct Deposit Form (SF-1199A).

Authority for Maintenance of the System: 5 U.S.C. 5701-5752; Executive Order 11609 (July 22, 1971); Executive Order 11012 (March 27, 1962); 5 U.S.C. 4101-4118; Federal Travel Regulations, FPMR 101-7, Chapter 2, Section 6.3.

Purpose: The purpose of this system is to allow for the management and storage of employee-related master data, properly account for employee-related reimbursements and provide documentary support for reimbursements to employees.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. Records are used to provide documentary support for reimbursements to employees for on-the-job and relocation travel expenses.
  2. Users of the information include first and second line supervisors, NCUA accounting staff, and budgeting staff.
  3. Standard routine uses as set forth in appendix A.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage: Records are stored in paper hard copy form and in a computer system.

Retrievabilty: Records are retrievable by social security number and name.

Safeguards: The paper hard copy records are maintained in secured offices. The computer disc and accounting system is located in a secured office and its access is limited to only those employees who need the information to process travel-related transactions.

Retention and Disposal: Records are maintained in the Division of Financial Control until the annual financial audit is completed. After the audit, the paper records are stored in a Federal Records Center for a minimum of three years and the computer disc is purged. The accounting system is archived as necessary.

System Manager(s) and Address: Director, Division of Financial Control, Office of the Chief Financial Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: Records are prepared by the individual whom the record concerns.

NCUA-6

System Name: Emergency Information (Employee) File.

System Location: For employees of a regional office, the system is located at the regional office where the employee is assigned, National Credit Union Administration, (See appendix B for addresses of Regional Offices). For employees of the central office, the system is located at the assigned office, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia, 22314.

Categories of Individuals Covered by the System: NCUA employees; individuals designated by employees as emergency contacts; family members of employees.

Categories of Records in the System: This system contains personal information about NCUA employees, such as height, weight, hair color, eye color, current address, and telephone number, and in some locations may also have a personal cell telephone number and personal email address. Also, this system identifies the individual to contact in case of an emergency involving the employee.

Authority for Maintenance of the System: 5 U.S.C. 301.

Purpose: The information in this system is used to maintain employee identification information in case of emergency.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. The information on the individual to contact in cases of emergency may be disclosed in case of emergency to any federal, state or local authority responding to the emergency.
  2. In the event of an emergency, the information may be disclosed to the individual listed as a contact in case of emergency, or other person identified as a family member of the employee. This list is updated as necessary. The listed information is used to contact the employee if there is a national emergency.
  3. Standard routine uses as set forth in appendix A.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage: Records are stored on paper hard copy and may also be stored electronically.

Retrievability: Records are indexed alphabetically by name and, where stored electronically as part of a computer system, are subject to electronic safeguards.

Safeguards: Records are maintained in locked file drawers or stored electronically as part of a computer database.

Retention and Disposal: Records are disposed of after an employee is separated from the agency.

System Manager(s) and Address: (1) For employees of an NCUA regional office, the system manager is the regional director of the regional office where the employee is assigned (See appendix B for addresses of Regional Offices). For employees of the central office, the system manager is the Office Director of the assigned office, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia, 22314.

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the appropriate system manager listed above. If there is no record on the individual, the individual will be so advised

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the appropriate system manager listed above.

Record Source Categories: Individual on whom the record is maintained.

NCUA-8

System Name: Investigative Reports Involving Any Crime, Suspected Crime or Suspicious Activity Against A Credit Union

System Location: Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314. Computerized records of Suspicious Activity Reports (SAR), with status updates, are managed by the Financial Crimes Enforcement Network (FinCEN), Department of the Treasury, pursuant to a contractual agreement, and are stored in Detroit, Michigan. Authorized personnel at NCUA's Central Office and regional offices have on-line access to the computerized database managed by FinCEN through individual work stations linked to the database central computer.

Categories of Individuals Covered by the System: Directors, officers, committee members, employees, agents, and persons participating in the conduct of the affairs of federally insured credit unions who are reported to be involved in suspected criminal activity or suspicious financial transactions and are referred to law enforcement officials; and other individuals who have been involved in irregularities, violations of law, or unsafe or unsound practices referenced in documents received by the NCUA in the course of exercising its supervisory functions.

Categories of Records in the System: Inter- and intra-agency correspondence, memoranda, and reports. The SAR contains information identifying the credit union involved, the suspected person, the type of suspicious activity involved, and any witnesses.

Authority for Maintenance of the System: 12 U.S.C. 1786 and 1789.

Purpose(s): The overall system serves as an NCUA repository for investigatory or enforcement information related to its responsibility to examine and supervise federally insured credit unions. The system maintained by FinCEN serves as the database for the cooperative storage, retrieval, analysis, and use of information relating to Suspicious Activity Reports made to or by the NCUA Board, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, (collectively, the federal financial regulatory agencies), and FinCEN to various law enforcement agencies for possible criminal, civil, or administrative proceedings based on known or suspected violations affecting or involving persons, financial institutions, or other entities under the supervision or jurisdiction of such federal financial regulatory agencies.

Routine Uses of Records Maintained in the System, Including Categories of Users, and the Purposes of Such Uses: Information in these records may be used to:

  1. Determine if any further agency action should be taken.
  2. Provide the federal financial regulatory agencies and FinCEN with information relevant to their operations;
  3. Disclose information to third parties during the course of an investigation to the extent necessary to obtain information pertinent to the investigation;
  4. With regard to formal or informal enforcement actions; release information pursuant to 12 U.S.C. 1786(s), which requires the NCUA Board to publish and make available to the public final orders and written agreements, and modifications thereto; and
  5. Standard routine uses as set forth in appendix A.

Policies and Practices for Strong, Retrieving, Accessing, Retaining, and Disposing of Records in the System: Storage: The records will be maintained in electronic data processing systems and paper files.

Retrievability: Computer output and file folders are retrievable by indexes of data fields, including name of the credit union, NCUA Region, and individuals' names.

Safeguards: Paper records and word processing discs are stored at the NCUA in lockable metal file cabinets. The database maintained by FinCEN complies with applicable security requirements of the Department of the Treasury. On-line access to the information in the database is limited to authorized individuals who have been designated by each federal financial regulatory agency and FinCEN, and each such individual has been issued a nontransferable identifier or password.

Retention and Disposal: Records are maintained indefinitely.

System Manager(s) and Address: General Counsel, NCUA, 1775 Duke Street, Alexandria, VA 22314.

Notification Procedure: Inquiries should be sent to the System Manager as noted above.

Record Access Procedures: Same as “Notification procedure” above.

Contesting Records Procedures: Same as “Notification procedure” above.

Record Source Categories: Information received by the NCUA Board from various sources, including, but not limited to law enforcement and other agency personnel involved in sending inquiries to the NCUA Board, NCUA examiners, credit union officials, employees, and members. The information maintained by FinCEN is compiled from SAR and related historical and updating forms compiled by financial institutions, the NCUA Board, and the other federal financial regulatory agencies for law enforcement purposes.

System Exempted From Certain Provisions of the Act: This system is exempt from 5 U.S.C. 552a(c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (e)(1), (e)(4) (G),(H) and (I), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2).

NCUA-9

System Name: Freedom of Information and Privacy Act Requests and Invoices

System Location: (1) Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314. (2) Office of Inspector GeneralNational Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314. (3) For requests prior to 2006 processed by a regional office, the system is located at the regional office (See appendix B for a list of addresses of the regional offices.) (4) For requests prior to 2006 processed by the Asset Management and Assistance Center, the system is located at AMAC, 4807 Spicewood Springs Road, Suite 5100, Austin, Texas 78759-8490.

Categories of Individuals Covered by the System: This system of records includes information pertaining to any Freedom of Information Act (FOIA) or Privacy Act requester.

Categories of Records in the System: The system may contain the requester’s name, company name or organization, address, date of request, invoice number, amount due, phone number, social security or tax identification number, description of information requested and documents located or result of search for documents.

Authority for Maintenance of the System: 12 U.S.C. 1789, 5 U.S.C. 552, 5 U.S.C. 552a.

Purpose: Records in this system are used to process requests received. These records may be used by the NCUA for collection of the amount due, as well as to identify subsequent requests made by the same individuals.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. The information may be disclosed to a consumer reporting agency. The information disclosed to a consumer reporting agency is limited to:
    1. Information necessary to establish the identity of the individual, including name, address, and social security or taxpayer identification number;
    2. the amount, status, and history of the claim; and
    3. the agency or program under which the claim arose.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:Storage: Records are maintained in paper and electronic form.

Retrievability: Records in this system are retrievable by requester’s name, company name or organization, date of request, category of requester, request number, invoice number, or key words.

Safeguards: Physical security consists of storing records on a password protected computer database and a hard copy secured in a metal file cabinet which is accessible only to those individuals responsible for processing requests and collecting outstanding payments.

Retention and Disposal: Records are retained for various periods depending on the determination made on the request, but normally no greater than six years following the year in which the request was processed.

System Manager(s) and Address: (1) Freedom of Information Act Officer, Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314. (2) For requests processed by the Office of Inspector General, Inspector General, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: The sources of records for this system of records are the FOIA and Privacy Act request files.

NCUA-10

System Name: Liquidating Credit Union Records System

System Location: Information within this system of records is located at the Asset and Management Assistance Center (AMAC) 4807 Spicewood Springs Road, Suite 5100, Austin, Texas 78759.

Categories of Individuals Covered by the System: Members, employees and creditors of liquidating federally-insured credit unions.

Categories of Records in the System: Share and account records; personal data regarding income and debts; payment or employment history; accounts payable records.

Authority for Maintenance of the System: 12 U.S.C. 1787.

Purpose: The information in this system is used to determine insurance, collect loan amounts due and for all purposes necessary to close out the affairs of the liquidated credit union.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. Information is used for payment of insurance claims to shareholders in liquidating federally-insured credit unions.
  2. Information is used in the collection of outstanding loans, which may include referral of information to third party service providers or potential purchasers of the loans.
  3. Information is used for all purposes necessary to close out the affairs of the liquidated credit union and carry out all appropriate liquidation-related functions of NCUA.
  4. Information may be disclosed to address locators or a surety company in pursuit of a fidelity bond claim.
  5. Information on unclaimed insured shares is included in a database on the NCUA web site after other efforts to locate account holders have failed.
  6. Information may be disclosed to the appropriate federal, state or local government agency, such as the Internal Revenue Service, if required by law or regulation or upon appropriate request.
  7. Standard routine uses as set forth in appendix A.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System: Storage: This information is maintained on computer databases and hard copy. Copies of share and loan documents, incoming payments, and loan portfolios may also be maintained on microfilm copy.

Retrievability: Information is indexed by name of individual and by name of closed insured credit union.

Safeguards: Information is maintained in secured offices and in password protected computer databases.

Retention and Disposal: Information is maintained for six years following the appointment of the NCUA Board as liquidating agent of an insured credit union unless the NCUA’s Record Management Policy requires a different time period or does not require the information to be maintained. After the retention period is completed, the system manager may destroy any records that the system manager determines are unnecessary unless directed not to do so by a court of competent jurisdiction or governmental agency or prohibited by law.

System Manager(s) and Address: President, AMAC, 4807 Spicewood Springs Road, Suite 5100, Austin, Texas 78759-8490.

Notification Procedure: An individual may inquire as to whether the system contains information pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no information on the individual, the individual will be so advised. Written inquiries should include name of inquirer, name of closed insured credit union of which inquirer was a member, and share and loan account numbers, if known.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available information.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: Information is obtained from outside address locators; share and loan account files of the liquidating credit union of which the individual was a member; third party service providers; and credit bureaus.

NCUA-11

System Name and Number: NCUA-11, Office of Inspector General (OIG) Investigative Records.

Security Classification: Unclassified.

System Location: Office of Inspector General, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

System Manager(s): Counsel to the Inspector General/Assistant Inspector General for Investigations, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Authority for Maintenance of the System: Federal Credit Union Act, 12 U.S.C. 1751, et seq., and the Inspector General Act of 1978, 5 U.S.C. 401, et seq.

Purpose(s) of the System: This system is maintained for the purposes of:

  1. Conducting and documenting investigations by the OIG or other investigative agencies regarding NCUA programs, operations, personnel, and contractors, and reporting the results of investigations to NCUA management, other Federal agencies, and other public authorities or professional organizations that have the authority to bring criminal prosecutions or civil or administrative actions, or to impose disciplinary sanctions;
  2. Documenting the outcome of OIG investigations;
  3. Maintaining a record of the activities that were the subject of investigations;
  4. Reporting investigative findings for use in operating and evaluating NCUA programs or operations and in the imposition of sanctions;
  5. Maintaining a record of complaints and allegations received regarding NCUA programs, operations, and personnel, and documenting the outcome of OIG reviews and disposition of those complaints and allegations;
  6. Coordinating relationships with other Federal agencies, State and local governmental agencies, and nongovernmental entities in matters relating to the statutory responsibilities of the OIG and reporting to such entities on government-wide efforts pursuant to the oversight of Federal funds;
  7. Acting as a repository and source for information necessary to fulfill the reporting requirements of the Inspector General Act, 5 U.S.C. 401-424;
  8. Reporting on OIG activities to the Council of Inspectors General for Integrity and Efficiency (CIGIE); and
  9. Participating in CIGIE’s investigative qualitative assessment review process.

Categories of Individuals Covered by the System: Subjects of investigation, complainants, and witnesses referred to in complaints or investigative cases, reports, accompanying documents, and correspondence prepared by, compiled by, or referred to the OIG.

Categories of Records in the System: The system is comprised of OIG investigation files and complaint files. These files include reports of investigations with related exhibits, statements, affidavits, or other pertinent documents. Files may contain memoranda; computer-generated background information; location information; payroll, time sheets, and travel records; correspondence, including call, text, and email records; and reports from or to other law enforcement bodies pertaining to violations or potential violations of criminal laws, fraud, or abuse with respect to administration of NCUA programs and operations, and violations of employee and contractor standards of conduct. Records in this system may contain personally identifiable information such as names, Social Security numbers, dates of birth, and addresses. This system may also contain such information as employment history, bank account information, driver’s licenses, vehicle registration, educational records, criminal history, photographs, voice recordings, and other information of a personal nature provided or obtained in connection with an investigation.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system of records may be disclosed as a routine use to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto;
  2. A record in a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;
  3. A record in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  4. A record in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  5. A record from a system of records may be disclosed as a routine use to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees;
  6. A record from a system of records may be disclosed as a routine use to the Department of Justice, including its U.S. Attorney’s Offices, and State and local prosecutors, to the extent necessary to obtain legal advice on any matter relevant to an OIG investigation, audit, inspection, or other inquiry related to the responsibilities of the OIG;
  7. A record from a system of records may be disclosed as a routine use to any Federal agency, entity, or board responsible for coordinating and conducting oversight of Federal funds, in order to prevent fraud, waste, and abuse related to Federal funds, or for assisting in the enforcement, investigation, prosecution, or oversight of violations of administrative, civil, or criminal law or regulation, if that information is relevant to any enforcement, regulatory, investigative, prosecutorial, or oversight responsibility of the NCUA or of the receiving entity;
  8. A record from a system of records may be disclosed as a routine use to another Federal agency considering suspension or debarment action if the information is relevant to the suspension or debarment action. The OIG also may disclose information to another agency to gain information in support of the NCUA’s own debarment and suspension actions;
  9. A record from a system of records may be disclosed as a routine use to the Council of the Inspectors General on Integrity and Efficiency (CIGIE) to assist in its preparation of reports, analysis, surveys, coordination of investigations, and other CIGIE activities;
  10. A record from a system of records may be disclosed as a routine use to other Federal entities, such as other Offices of Inspector General, to the Government Accountability Office, or to a private party with which the OIG or the NCUA has contracted or with which it contemplates contracting, for the purpose of auditing or reviewing the performance or internal management of the OIG’s audit or investigative programs.
  11. A record from a system of records may be disclosed as a routine use to a complainant alleging whistleblower reprisal and the complainant’s employer (current or former) that at the time of the alleged reprisal was a grantee, subgrantee, contractor, or subcontractor of the NCUA, to fulfill the whistleblower reprisal investigation reporting requirements of 41 U.S.C. 4712(b)(1) or any other whistleblower reprisal law requiring a disclosure to a complainant or an entity that employs or employed the complainant;
  12. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; and
  13. A record from a system of records may be disclosed to another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

Policies and Practices for Retrieval of Records: Information is retrieved by case number, general subject matter, or name of the subject of investigation.

Policies and Practices for Retention and Disposal of Records: Records are maintained and disposed in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

Administrative, Technical and Physical Safeguards: NCUA and the Cloud Service Provider have implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including OMB Circular A-130 and NIST Special Publication 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: Pursuant to 5 U.S.C. 552a(j)(2), this system of records is exempt from subsections (c)(3) and (4), (d), (e)(1), (e)(2), (e)(3), (e)(4)(G), (e)(4)(H), (e)(4)(I), (e)(5), (e)(8), (f) and (g) of the Act. This exemption applies to information in the system that relates to criminal law enforcement and meets the criteria of the (j)(2) exemption. Pursuant to 5 U.S.C. 552a(k)(2), to the extent that the system contains investigative material compiled for law enforcement purposes, other than material within the scope of subsection (j)(2), this system of records is exempt from 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I), and (f). The exemption rule is contained in 12 CFR 792.66 of the NCUA regulations.

History: This SORN was published originally as NCUA-20, “Investigation Files,” at 53 FR 37372 (Sept. 26, 1988); renamed to “Office of Inspector General Investigative Records” at 60 FR 18149 (April 10, 1995); and renumbered as NCUA-11 at 65 FR 3486 (Feb. 20, 2000). Subsequent modifications were published at 71 FR 77807 (Dec. 27, 2006) and 75 FR 41539 (July 16, 2010).

NCUA-12

System Name and Number: Consumer Complaints Against Federal Credit Unions – NCUA-12

Security Classification: None.

System Location: NCUA Consumer Assistance Center, Office of Consumer Financial Protection, National Credit Union Administration, 1775 Duke Street, Alexandria, VA. 22314. Third party service provider, Salesforce.com, Inc. The Landmark at One Market, Suite 300, San Francisco, CA 94105.

System Manager(s): Division of Consumer Affairs Director, Office of Consumer Financial Protection, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Authority for Maintenance of the System: 12 U.S.C. 1752a, 12 U.S.C. 1766, 12 U.S.C. 1784(a), and 12 U.S.C. 1789.

Purpose(s) of the System: The system supports the NCUA’s supervisory oversight and enforcement responsibilities to intake and respond to consumer inquiries, complaints and other communications from the general public, credit unions and other state and federal government banking and law enforcement agencies regarding federal consumer financial protection laws, regulations and credit union activity.

Categories of Individuals Covered by the System: Individuals who are members of the public that contact the NCUA’s Consumer Assistance Center by telephone, written correspondence and web search, including both general inquiries and complaints concerning federal financial consumer protection matters within credit unions.

Categories of Records in the System: This system contains correspondence and records of other communications between the NCUA and the individual submitting a complaint or making an inquiry, including copies of supporting documents and contact information supplied by the individual. This system may also contain regulatory and supervisory communications between the NCUA and the NCUA-insured credit union in question and/or intra-agency or inter-agency memoranda or correspondence relevant to the complaint or inquiry.

Record Source Categories: Information is provided by the individual complainant, and his or her representative such as, a member of Congress or an attorney. Information is also provided by federal credit union officials and employees. Information is provided by the individual to whom the record pertains, internal agency records, and investigative and other record material compiled in the course of an investigation, or furnished by other state and federal financial regulatory and law enforcement government agencies.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: The NCUA’s Consumer Assistance Center uses these records to document the submission of and responses to consumer inquiries, complaints and other communications from the general public regarding federal consumer financial protection laws, regulations and credit union activity.

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the NCUA as a routine use as follows:

(1) Information may be disclosed to officials of federal credit unions and other persons mentioned in a complaint or identified during an investigation.

(2) Disclosures may be made to the Federal Reserve Board, other federal financial regulatory agencies, the Federal Financial Institutions Examination Council, the White House Office of Consumer Affairs, and the Congress, or any of its authorized committees in fulfilling reporting requirements or assessing implementation of applicable laws and regulations. (Such disclosures will be made in a non-identifiable manner when feasible and appropriate.)

(3) Referrals may also be made to other federal and nonfederal supervisory or regulatory authorities when the subject matter is a complaint or inquiry which is more properly within such agency's jurisdiction.

(4) NCUA’s Standard Routine Uses apply to this system of records.

Policies and Practices for Storage of Records: Records are stored electronically and physically.

Policies and Practices for Retrievability of Records: Records are retrieved by individual identifiers such as individual complainant’s name.

Policies and Practices for Retention and Disposal of Records: All records, including audio records, are retained in a secure and encrypted cloud-based storage system for a period of seven years consistent with the National Archives and Records Administration records retention schedule.

Administrative, Technical and Physical Safeguards: Information in the system is safeguarded in accordance with the applicable laws, rules and policies governing the operation of federal information systems.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full Name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

History: This system of records notice was originally published in 65 FR 3486 (January 21, 2000). It was republished (but not substantively changed in 75 FR 41539 (July 16, 2010), and 71 FR 77807 (December 27, 2006).

NCUA-13

System Name: Litigation Case Files

System Location: Office of General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Categories of Individuals Covered by the System: Records are maintained in files by the case name of individuals who are: the subject of NCUA investigations made in contemplation of legal action; involved in civil litigation with NCUA or involved in administrative proceedings; involved in litigation of interest to NCUA; or pursuing tort claims.

Categories of Records in the System: Records in case files include: Investigative reports relating to possible felonies or violations of the Federal Credit Union Act; transcripts of testimony or affidavits; documents and other evidentiary matters, pleadings and other documents filed in court; orders filed or issued in civil, administrative or criminal proceedings; correspondence relating to investigatory or litigation matters; information provided by the individual under investigation or from a federal credit union; and other memoranda gathered and prepared by staff in performance of their duties.

Authority for Maintenance of the System: 12 U.S.C. 1766, 1786, 1787, and 1789; 28 U.S.C. 2671-2680.

Purpose: This system documents the preparation and progress of legal proceedings and investigations conducted by the Office of General Counsel.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. The staff of the Office of General Counsel may use such records to render legal advice concerning investigations or courses of legal action; to represent NCUA in all judicial and administrative proceedings in which NCUA or any of its employees who, within the scope of employment and in an official capacity, is a party; or to intervene as an amicus curiae.
  2. The information in this system may be disclosed to federal, state, local or professional licensing boards or Boards of Medical Examiners, when such records reflect on the qualifications or fitness of a licensed individual or an individual seeking to be licensed
  3. Standard routine uses set forth in appendix A.

System Manager(s) and Address: General Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

Record Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above.

Record Source Categories: Record source categories vary depending upon the legal issue but generally are obtained from the following: NCUA staff and internal agency memoranda; federal employees and private parties involved in torts; contracts; federal credit union files or officials; general law texts and sources; law enforcement officers; witnesses and others; administrative and court pleadings, transcripts or judicial orders/decisions; evidence gathered in connection with the matter involved; and from individuals to whom the records relate.

Systems Exempted From Certain Provisions of the Act: This system is subject to the specific exemption provided by 5 U.S.C. 552a(k)(2), as the system of records is investigatory material compiled for law enforcement purposes.

NCUA-15

System Name: Contract Employee Pay and Leave Records

System Location: Information within this system of records is located at the Asset Management and Assistance Center (AMAC) 4807 Spicewood Springs Road, Suite 5100, Austin TX 78759-8490, and the payroll processor, Paychex of San Antonio, Texas.

Categories of Individuals Covered by the System: Contract employees hired by the Agent for the Liquidating Agent for work on liquidation cases.

Categories of Records in the System: Wages and related payroll data, including leave records.

Authority for Maintenance of the System: Fair Labor Standards Act.

Purpose: This system documents employee information and ensures that employees receive proper compensation.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: Information is used to document time worked and provide a record of attendance to support payment of wages and use of leave. Users of the system include the payroll officer (financial analyst), the employee’s supervisor, and Paychex.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage: Records are maintained in file folders.

Retrievability: Records are retrieved by name.

Safeguards: Records are maintained in a secured file cabinet, accessible only to the payroll officer and division manager.

Retention and Disposal: Records are retained and disposed of in accordance with the Fair Labor Standards Act.

System Manager(s) and Address: Primary: Financial Analyst, Asset Management and Assistance Center (4807 Spicewood Springs Road, Suite 5100, Austin TX 78759-8490). Secondary: Division of Accounting Service Director, Asset Management and Assistance Center (4807 Spicewood Springs Road, Suite 5100, Austin TX 78759-8490)

Notification Procedure: An individual may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

NCUA-16

System Name: Leave Transfer Program Case Files

System Location: Office of Human Resources, 1775 Duke Street, Alexandria, VA 22314

Categories of Individuals Covered by the System: NCUA employees who submitted applications to become leave recipients under the provisions of the Leave Transfer program.

Categories of Records in the System: Leave transfer program applications, leave requests, and medical documentation.

Authority for Maintenance of the System: 5 CFR 630.913.

Purpose: To administer the NCUA leave transfer program.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: These records are used to administer the NCUA leave transfer program.

Policies and Practice for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System: Storage: These records are maintained in file folders and filed in metal file cabinets.

Retrievability: The records are retrieved by the names of the employee.

Safeguards: These files are kept in a locked room and are available only to authorized personnel whose duties require access.

Retention and Disposal: These records are maintained in accordance with NARA General Records Schedules 1 (Civilian Personnel Records). Disposal of manual records is by shredding.

System Manager(s) and Address: Director, Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.

Notification Procedure: An individual or an individual’s authorized representative may inquire as to whether the system contains a record pertaining to the individual by addressing a request in person or by mail to the system manager listed above. If there is no record on the individual, the individual will be so advised.

NCUA-17

System Name: Personal Identity Verification Files

System Location: Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314

Categories of Individuals Covered by the System: Individuals who require regular, ongoing access to federal facilities, information technology systems, or information classified in the interest of national security, including applicants for employment or contracts, federal employees, contractors, students, interns, volunteers, affiliates, individuals authorized to perform or use services provided in NCUA facilities and individuals formerly in any of these positions. The system also includes individuals accused of security violations or found in violation.

Categories of Records in the System: Name, former names, birth date, birth place, Social Security number, home address, phone numbers, employment history, residential history, education and degrees earned, names of associates and references and their contact information, citizenship, names of relatives, birthdates and places of relatives, citizenship of relatives, names of relatives who work for the federal government, criminal history, mental health history, drug use, financial information, fingerprints, summary report of investigation, results of suitability decisions, level of security clearance, date of issuance of security clearance, requests for appeal, witness statements, investigator’s notes, tax return information, credit reports, security violations, circumstances of violation, and agency action taken. Copies of background investigation forms such as the SF-85, SF-85P, SF-86, or SF-87 may also be included in this file.

Authority for Maintenance of the System: Executive orders 10450, 10865, 12333, and 12356; sections 3301 and 9101 of title 5, U.S. Code; sections 2165 and 2201 of title 42, U.S. Code; sections 781 to 887 of title 50, U.S. Code; parts 5, 732, and 736 of title 5, Code of Federal Regulations; and Homeland Security Presidential Directive (HSPD) 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004.

Purpose(s): The records in this system of records are used to document and support decisions regarding clearance for access to classified information, the suitability, eligibility, and fitness for service of applicants for federal employment and contract positions, including students, interns, or volunteers to the extent their duties require access to federal facilities, information, systems, or applications. The records may be used to document security violations, employee access and attendance, and supervisory actions taken.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

  1. The information maintained in this system is collected from PIV Applicants, the individuals to whom a PIV card is issued. The PIV Applicant may be a current or prospective Federal hire, a Federal employee or a contractor. The information is used in each step of the PIV Process for example, conducting a background investigation, completing the identity proofing and registration process, creating an employee record in the Comprehensive Human Resources Integrated System (CHRIS), issuing a PIV card and the determination of physical and logical access. Additionally, the information such as card expiration date, PIV Registrar Approval, etc. is maintained in this file and is used to assist in the production of the PIV card.
  2. The information in this system may be disclosed to the United States Office of Personnel Management, the Merit Systems Protection Board, the Office of Special Counsel, the Equal Employment Opportunity Commission, the Federal Labor Relations Authority, the General Services Administration or an arbitrator or agent to the extent the disclosure is needed to carry out the government-wide personnel management, investigatory, adjudicatory and appellate functions within their respective jurisdictions, or to obtain information.
  3. The information in this system may be disclosed to federal, state, local or professional licensing boards or boards of Medical Examiners, when such records reflect on the qualifications of a licensed individual or individual seeking to be licensed.
  4. Standard routine uses as set forth in Appendix A.

Policies and Practice for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System:

Storage: Records are stored on paper and electronically in a secure location.

Retrievability: Files are retrieved by name or Social Security number (SSN), employee name, and employee identification number.

Safeguards: For paper records: Comprehensive paper records are kept in a secure room at NCUA Central Office, Office of Human Resources. Limited paper records may be kept at NCUA regional offices in locked file cabinets in locked rooms. Access to the records is limited to those employees who have a need for them in the performance of their official duties.

For electronic records: Comprehensive electronic records are kept at the NCUA Central Office, Office of Human Resources. Access to the records is restricted to those with a specific role in the PIV process that requires access to information to perform their duties, and who have been given a password to access that part of the system. Controls are in place to identify unauthorized access. Persons given roles in the PIV process must complete training specific to their roles to ensure they are knowledgeable about how to protect individually identifiable information. Electronic records of security badge and parking pass usage for access to the Central Office and access to parking are accessible by selected staff in the Division of Procurement and Facilities Management.

Retention and Disposal: Records are destroyed upon notification of death or not later than five years after separation or transfer of employee to another agency, whichever is applicable.

System Manager(s) and Address: Security Officer, Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.

Notification Procedure: An individual can determine if this system contains a record pertaining to the individual by addressing a request in writing to the system manager listed above. If there is no record on the individual, the individual will be so advised. When requesting notification of or access to records covered by this system, an individual should provide at a minimum his/her full name, date of birth, office and duty location in order to establish identity.

Records Access Procedures: Upon request, the system manager will set forth the procedures for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above. Requesters should also reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete.

Record Source Categories: Information is obtained from a variety of sources including the employee, contractor, or applicant via use of the SF-85, SF-85P, or SF-86 and personal interviews; employers’ and former employers’ records; FBI criminal history records and other databases; financial institutions and credit reports; medical records and health care providers; educational institutions; interviews of witnesses such as neighbors, friends, co-workers, business associates, teachers, landlords, or family members; tax records; and other public records. Security violation information is obtained from a variety of sources, such as witnesses or supervisor’s reports. Electronic records are created based on use of security badges and parking passes at readers at entrances and exits to parking at the Central Office, building entrances, and building elevators.

NCUA-18

System Name: Credit Union Service Organization (CUSO) Registry System

Security Classification: Unclassified

System Location: Office of Examination and Insurance, National Credit Union Administration, 1775 Duke Street, Alexandria, VA. 22314.

Categories of Individuals Covered by This System: Individuals responsible for the content and submission of information to the CUSO Registry System and individuals with an ownership interest in the CUSO.

Categories of Records in the System: Information used to identify and contact individuals covered by the system including name, address, and telephone number.

Authority for Maintenance of the System: 12 U.S.C. 1756, 1757(5)(D) and (7)(I), 1766, 1781(b)(9), 1782, 1784, 1785, 1786 and 1789(11).; 12 CFR parts 712 and 741.

Purpose(s): The collected information enables NCUA to identify concentrations and interdependencies between CUSOs and across supervised credit unions. It also improves the consistency and transparency of CUSO information and facilitates NCUA's ability to identify any potential systemic safety and soundness concerns stemming from relationships between credit unions and CUSOs.

Disclosure to Consumer Reporting Agencies: None.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: NCUA may share information in this system with appropriate federal or state financial supervision authorities. Contact information is used for communication and authentication purposes. A registered CUSO may authorize other users, such as owner credit unions or affiliated CUSOs or individuals, to access its record.

Policies and Practice for Storing, Retrieving, Accessing, Retaining and Disposing of Records in the System: Storage: Records are stored electronically.

Retrievability: Records are retrieved by individual business identifiers such as business name, system-assigned registry number, unique user identification, or by an individual identifier with non-individually identifiable information.

Safeguards: Information in the system is safeguarded in accordance with the applicable laws, rules and policies governing the operation of federal information systems. Information in the system that is available to the general public does not include any privacy-related information. Access to privacy-related information is password protected and restricted to authorized personnel.

Retention and Disposal: Records are maintained until they become inactive. Records are disposed in accordance with NCUA record retention schedules and consistent with destruction methods appropriate to the type of information.

System Manager(s) and Address: CUSO Program Officer, Office of Examination and Insurance, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.

Notification Procedure: An individual can determine if this system contains a record pertaining to the individual by addressing a request in writing to the system manager listed above. If there is no record on the individual, the individual will be so advised. The individual must provide his/her full name and identify the CUSO he/she is associated with as well as contact information for a response.

Record Access Procedures: Upon verification that an individual has a record in the system, as determined by the notification procedure above, the system manager will provide the procedure for gaining access to available records.

Contesting Record Procedures: Requests to amend or correct a record should be directed to the system manager listed above. Requesters should also reasonably identify the record, specify the information they are contesting, state the corrective action sought and the reasons for the correction along with supporting justification showing why the record is not accurate, timely, relevant, or complete.

Record Source Categories: Information is provided by the individual to whom the record pertains or by a representative of the associated CUSO.

Exemptions Claimed for the System: None.

NCU​A-19

System Name and Number: NCUA Financial and Acquisition Management System, NCUA-19

Security Classification: None.

System Location: Enterprise Services Center, 6500 South MacArthur Blvd., Oklahoma City, OK 73169; NCUA, 1775 Duke Street, Alexandria, VA 22314.

System Manager(s): Chief Financial Officer, Office of the Chief Financial Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314.

Authority for Maintenance of the System: 12 USC 1751; 31 U.S.C. 3501, et seq. and 31 U.S.C. 7701(c). Where the employee identification number is the social security number, collection of this information is authorized by Executive Order 9397.

Purpose(s) of the System: This system serves as the core financial and acquisition system and integrates program, financial, and budgetary information. Records are collected to ensure that all obligations and expenditures (other than those in the pay and leave system) are in conformance with laws, existing rules and regulations, and good business practices, and to maintain subsidiary records at the proper account and/or organizational level where responsibility for control of costs exists.

Categories of Individuals Covered by the System: A employees, contractors, suppliers, vendors, interns, and customers.

Categories of Records in the System: Employee personnel information: Limited to current and former NCUA employees, and includes name, address, Social Security number (SSN). Business-related information: Limited to contractors/vendors, customers, and credit unions (but not their members), and includes name of the company/agency, point of contact, telephone number, mailing address, email address, contract number, vendor number (system unique identifier), DUNS number, and TIN, which could be a SSN in the case of individuals set up as sole proprietors, and total assets and insured shares. Financial information: Includes financial institution name, lockbox number, routing transit number, deposit account number, account type, debts (e.g., unpaid bills/invoices, overpayments, etc.), and remittance address.

Record Source Categories: The information maintained in Department of Transportation, (DOT)/Enterprise Service Center (ESC) systems including: Purchase orders, contracts, vouchers, invoices, contracts, disbursements, receipts/collections, Pay.Gov transactions, and related records; U.S. General Services Administration (GSA) Federal personnel payroll system (for payroll disbursement postings): Concur (for travel disbursements); JPMorgan Chase (for charge card payments; travel advance applications; other records submitted by individuals, employees, vendors, and other sources.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. ​NCUA’s Standard Routine Uses​ apply to this system of records.
  2. Records may be shared with a vendor that NCUA is doing business with if a dispute about payments or amounts due arises. In such a situation, only the minimum amount of information need to resolve the dispute will be shared with the vendor.

Policies and Practices for Storage of Records:: Records are maintained in paper and/or electronic form. Records are also maintained on NCUA’s network back-up tapes. Electronic records are stored in computerized databases. Records are stored in locked file rooms and/or file cabinets.

Policies and Practices for Retrievability of Records: Records are retrieved by any one or more of the following: Records may be retrieved by a name of employee, employee ID, employee NCUA email address, social security number (SSN) for employees, SSN/Tax Identification Number (TIN) for vendors doing business with the NCUA, name for both employees and vendors, supplier number (system unique) for both employees and vendors, DUNS and DUNS + 4.

Policices and Practices for Retention and Disposal of Records: Records are maintained in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA.

Records existing on paper are destroyed beyond recognition. Records existing on computer storage media are destroyed according to the applicable NCUA media sanitization practice.

Administrative, Technical, and Physical Safeguards: NCUA has adopted appropriate administrative, technical, and physical controls in accordance with NCUA’s information security policies to protect the security, integrity, and availability of the information, and to ensure that records are not disclosed to or accessed by unauthorized individuals.

Records are safeguarded in a secured environment. Buildings where records are stored have security cameras and 24 hour security guard service. The records are kept in limited access areas during duty hours and in locked file cabinets and/or locked offices or file rooms at all other times. Access is limited to those personnel whose official duties require access. Computerized records are safeguarded through use of access codes and information technology security. Contractors and other recipients providing supplies and/or services to the NCUA are contractually obligated to maintain equivalent safeguards.

Record Access Procedures: Individuals should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. ​F​ull name.
  2. Any available information regarding the type of record involved, and the name of the system containing the record.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefor.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedure: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Privacy Officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. ​Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

NCUA-20

System Name and Number: Small Credit Union Learning Center – NCUA 20

Security Classification: None.

System Location: NCUA, 1775 Duke Street, Alexandria, VA 22314; Powertrain, 8201 Corporate Drive, Suite 580, Landover, MD 20785; OPM, 1900 E Street, NW, Suite 4439-AB, Washington, DC 20415

System Manager(s): Deputy director, office of small credit union initiatives, NCUA, 1775 Duke Street, Alexandria, VA 22314.

Authority for Maintenance of the System: 12 U.S.C. 1751.

Purpose(s) of the System: To provide and manage online training courses for credit union elected officials and employees.

Categories of Individuals Covered by the System: Credit union elected officials and employees who complete the training course(s).

Categories of Records in the System: Training records, which may include name, email address, username, password, credit union name, charter number, course name, and date of completion of the training course(s).

Record Source Categories: Individuals who complete the training course(s).

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the privacy act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows, and:

  1. NCUA’s standard routine uses​ apply to this system of records.
  2. At the request of a specific credit union, records pertaining to individuals associated with the requesting credit union may be shared with that credit union.

Policies and Practices for Storage of Records: Records are maintained in electronic form.

Policies and Practices for Retrievability of Records: Records are retrieved by any one or more of the following: Name, username, email address, credit union name, charter number, course name, and month or year of completion of a training course.

Policies and Practices for Retention and Disposal of Records: Records are maintained in accordance with the general records retention schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA.

Records existing on computer storage media are destroyed according to the applicable NCUA media sanitization practice.

Administrative, Technical, and Physical Safeguards: NCUA has adopted appropriate administrative, technical, and physical controls in accordance with NCUA’s information security policies to protect the security, integrity, and availability of the information, and to ensure that records are not disclosed to or accessed by unauthorized individuals.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the privacy officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s privacy act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the privacy officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefor.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedure: individuals wishing to learn whether this system of records contains information about them should submit a written request to the privacy officer, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s privacy act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

NCUA-21

System Name and Number: NCUA Connect, NCUA-21

Security Classification: Unclassified.

System Location: The system is operated and maintained in part by NCUA staff, and in part by third-party vendors. Please contact the system managers (below) for more information.

System Manager(s): Director of the Office of Business Innovation, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Authority for Maintenance of the System: 12 U.S.C. 1751, et. seq.

Purposes of the System: This system of records is maintained for the purpose of carrying out the NCUA’s statutorily mandated examination and supervision activities. Specifically, this system is the interface through which authorized users access NCUA’s other major examination, supervision, and reporting related systems. It is designed to provide a one-stop entry point for internal and external users, which should enhance user experience, while also streamlining security activities.

Categories of Individuals Covered by the System: Individuals covered by this system are (1) Current and former directors, officers, employees, and agents of credit unions; (2) Current and former credit union service organization representatives; (3) Other individuals engaged in business with the NCUA for a specific purpose (such as outside counsel); and (4) NCUA employees and contractors, and State Supervisory Authority staff.

Categories of Records in the System: Records in the system contain basic log-in information, including username, password, email address, and role. The system also contains log-in/access records.

Record Source Categories: The sources of information in the system are the individual users, or someone acting on their behalf (such as an administrator in their organization, or an NCUA employee or contractor).

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. NCUA’s Standard Routine Uses apply to this system of records.

Policies and Practices for Storage of Records: Electronic records and backups are stored on dedicated secure instance, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Infrastructure as a Service (IaaS) hosting environment and accessed only by authorized personnel. No paper files are maintained.

Policies and Practices for Retrieval of Records: Records are retrieved by name, username, affiliated organization, email, role, or date.

Policies and Practices for Retention and Disposal of Records: Records are maintained in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA. Records existing on computer storage media are destroyed according to the applicable NIST-compliant media sanitization policy.

Administrative, Technical and Physical Safeguards: NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub.L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including OMB Circular A-130 and NIST Special Publications 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

History: This is a new system.

NCUA-22

System Name and Number: Examination and Supervision System (ESS), NCUA-22

Security Classification: Unclassified.

System Location: The system is operated and maintained in part by NCUA staff, and in part by third-party vendors. Please contact the system managers (below) for more information.

System Manager(s): Director of the Office of Business Innovation and the Director of the Office of Examination and Insurance, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Authority for Maintenance of the System: 12 U.S.C. 1751, et. seq.

Purpose(s) of the System: This system of records is maintained for the purpose of carrying out the NCUA’s statutorily mandated examination and supervision activities, including the coordination and conduct of examinations, supervisory evaluations and analyses, enforcement actions and actions in Federal court. NCUA may coordinate with other financial regulatory agencies on matters related to the safety and soundness of credit unions. The information collected in this system also supports the conduct of investigations or other supervisory or legal actions by the NCUA or other supervisory or law enforcement agencies. This may result in criminal referrals, referrals to Offices of Inspectors General, or the initiation of administrative or Federal court actions. This system continues to track and store examination and supervision documents created during the performance of the NCUA’s statutory duties. The information also is used for administrative purposes such as quality control, performance metrics, and improvements to examination and supervision processes.

Categories of Individuals Covered by the System: Individuals covered by this system are (1) Current and former directors, officers, employees, and agents of credit unions; (2) Current and former members who are or have been serviced by credit unions; (3) Current and former credit union service organization representatives; (4) Other individuals engaged in business with the NCUA for a specific purpose (such as outside counsel); and (5) NCUA employees and contractors, and (6) State Supervisory Authority staff.

Categories of Records in the System: Records in the system may contain (1) Contact information about credit union officials (such as members of the Board of Directors, Audit Committee Chair, Chief Executive Officer, Chief Compliance Officer, Internal Auditor, and Independent Auditor), such as name, address, phone number, and e-mail address; (2) Demographic and financial information about individual credit union members, such as name, address, Social Security number, account information, loan and share information, and publicly available information; (3) Information about NCUA employees assigned to credit union examination and supervision tasks, such as name, work phone number, work e-mail address, and other employment information; (4) User information, such as name, email address, and role about other users of the system (such as contractors, credit union representatives, State Supervisory Authority staff, and Credit Union Service Organization representatives (CUSOs) and; (5) recordings of meetings between individuals representing the NCUA and credit unions.

Record Source Categories: The information in the system about credit union officials and individual credit union members is generally provided by credit unions and CUSOs. NCUA employees and contractors, and State Supervisory Authorities may add additional information to the system as part of their assigned supervision and examination activities (including analytics/business intelligence activities). Some of the information may be from third parties with relevant information about covered persons or service providers, or existing databases maintained by other Federal and state regulatory associations, law enforcement agencies, and related entities. Whenever practicable, the NCUA collects information about an individual directly from that individual.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. NCUA’s Standard Routine Uses apply to this system of records.
  2. To a financial institution affected by enforcement activities or reported criminal activities;
  3. To the Internal Revenue Service and appropriate State and local taxing authorities;
  4. To another federal or state agency to: (a) permit a decision as to access, amendment or correction of records to be made in consultation with or by that agency, or (b) verify the identity of an individual or the accuracy of information submitted by an individual who has requested access to or amendment or correction of records;
  5. To a grand jury pursuant either to a federal or state grand jury subpoena, or to a prosecution request that such record be released for the purpose of its introduction to a grand jury, where the subpoena or request has been specifically approved by a court;
  6. To a court, magistrate, or administrative tribunal in the course of an administrative proceeding or judicial proceeding, including disclosures to opposing counsel or witnesses (including expert witnesses) in the course of discovery or other pre-hearing exchanges of information, litigation, or settlement negotiations, where relevant or potentially relevant to a proceeding related to the NCUA’s mission of providing a safe and sound credit union system.
  7. To appropriate agencies, entities, and persons, including but not limited to potential expert witnesses, witnesses, or translators, in the course of supervision or enforcement related investigation;
  8. To appropriate federal, state, local, foreign, tribal, or self-regulatory organizations or agencies responsible for investigating, prosecuting, enforcing, implementing, issuing, or carrying out a statute, rule, regulation, order, policy, or license if the information may be relevant to a potential violation of civil or criminal law, rule, regulation, order, policy, or license; and
  9. To an entity or person that is the subject of supervision or enforcement activities including examinations, investigations, administrative proceedings, and litigation, and the attorney or non-attorney representative for that entity or person.

Policies and Practices for Storage of Records: Electronic records and backups are stored on dedicated secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel. No paper files are maintained.

Policies and Practices for Retrieval of Records: Records pertaining to individual credit union members are not generally retrieved outside of a scheduled examination or supervision contact. However, such records can be retrieved by credit union name, charter number, credit union member’s name or other record in the system. The system includes advanced search features that function essentially as a full-text search tool.

Policies and Practices for Retention and Disposal of Records: Records are maintained in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA. Records existing on computer storage media are destroyed according to the applicable NIST-compliant media sanitization policy.

Administrative, Technical and Physical Safeguards: NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub.L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including OMB Circular A-130 and NIST Special Publications 800-37 and 800-53.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: Federal criminal law enforcement investigatory reports maintained as part of this system may be the subject of exemptions imposed by the originating agency pursuant to 5 U.S.C. 552a(j)(2).

History: 84 FR 11331.

NCUA-23

System Name and Number: Mailing, Contact and Other Lists System – NCUA-23

Security Classification: Unclassified.

System Location: The system is operated and maintained in part by NCUA staff, and in part by third-party vendors. Please contact the system managers (below) for more information.

System Manager(s): Director of the Office of External Affairs and Communications, and the Director of the Office of Examination and Insurance, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Authority for Maintenance of the System: 12 U.S.C. 1751, et. seq.

Purpose(s) of the System: This system of records is maintained for the purposes of supporting the National Credit Union Administration’s (NCUA’s) communications and outreach efforts to members of the public and to facilitate the NCUA’s statutorily mandated examination and supervision activities, including:

  1. Handling requests for informational literature, newsletters, and other NCUA materials;
  2. Processing event registrations, conducting surveys, and providing information about NCUA-related activities and events and;
  3. Notifying credit unions of mandatory actions and updates that they must complete and are related to the NCUA’s mission of providing a safe and sound credit union system.

Categories of Individuals Covered by the System: Individuals covered by this system are (1) Current and former directors, officers, employees, and volunteers of credit unions; (2) Members of the public; and (3) NCUA employees and contractors.

Categories of Records in the System: Records in the system may contain contact information including name, title, address, phone number, and e-mail address.

Record Source Categories: The information in the system about credit union officials and individual credit union members is generally provided by credit unions and CUSOs. NCUA employees and contractors, and State Supervisory Authorities may add additional information to the system as part of their assigned supervision and examination activities (including analytics/business intelligence activities). Some of the information may be from third parties with relevant information about covered persons or service providers, or existing databases maintained by other Federal and state regulatory associations, law enforcement agencies, and related entities. Whenever practicable, the NCUA collects information about an individual directly from that individual.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. NCUA’s Standard Routine Uses apply to this system of records.
  2. To appropriate agencies, entities, and persons for the purpose of supervision, enforcement, training, or other outreach activities.
  3. To an entity or person that is the subject of supervision or enforcement activities including examinations, investigations, administrative proceedings, and litigation, and the attorney or non-attorney representative for that entity or person.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel. No paper files are maintained.

Policies and Practices for Retrieval of Records: Records may be retrieved by any of the following: name, address, phone number, or e-mail address.

Policies and Practices for Retention and Disposal of Records: Records are maintained until they become inactive and, in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or a NCUA records disposition schedule approved by NARA.

Administrative, Technical and Physical Safeguards: NCUA and the Cloud Service Provider have implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub.L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including OMB Circular A-130 and NIST Special Publications 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

History: This is a new system.

NCUA-24

System Name and Number: Ensuring Workplace Health and Safety in Response to a Public Health Emergency, NCUA-24

Security Classification: Unclassified.

System Location: Records are maintained at NCUA facilities in Alexandria, Virginia and regional offices. Original and duplicate systems may exist, in whole or in part, at secure sites and on secure servers maintained by third-party service providers for the NCUA.

System Manager(s): Director of the Office of Continuity and Security Management, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314.

Authority for Maintenance of the System: 12 U.S.C. 1751, et seq.; Americans with Disabilities Act, including 42 U.S.C. 12112(d)(3)(B), 29 CFR 1630.2(r), and 1630.14(b), (c), and (d)(4); Workforce safety Federal requirements, including the Occupational Safety and Health Act of 1970, 5 U.S.C. 7902; 29 U.S.C. Chapter 15 (e.g., 29 U.S.C. 668), 29 CFR part 1904, 29 CFR 1910.1020, and 29 CFR 1960.66; Executive Order 12196; Executive Order 14043.

Purpose(s) of the System: The information in the system is collected to assist the NCUA with maintaining a safe and healthy workplace and respond to a public health emergency (as defined by the U.S. Department of Health and Human Services and declared by its Secretary), such as a pandemic or epidemic. These measures may include instituting activities such as: (1) requiring NCUA personnel (including applicants for Federal employment) to provide information and/or submit to a medical screening before being allowed access to an NCUA facility, and (2) contact tracing. NCUA personnel may also need to provide information before being authorized to travel.

Categories of Individuals Covered by the System: Individuals covered by this system include NCUA personnel, such as, political appointees, employees, contractors, detailees, consultants, interns, volunteers, and applicants for Federal employment.

Categories of Records in the System: Information may include:

  • Name
  • Contact information (e.g., email address, phone number)
  • Employee ID number
  • Recent travel history
  • Whether the individual provides dependent care for an individual in a high-risk category
  • Health information, including:
    • Body temperature,
    • Confirmation of pathogen or communicable disease test,
    • Test results,
    • Dates, symptoms, potential or actual exposure to a pathogen or communicable disease,
    • Immunization or vaccination information;
    • Information to support a reasonable accommodation (for example, a request for exemption from a vaccination requirement), and
    • Other medical history related to the treatment of a pathogen or communicable disease
  • Contact tracing information, including:
    • Dates when the individual visited the NCUA facility or event, or worked on-site on behalf of the NCUA,
    • Locations that the individual visited within the facility (e.g., office and cubicle number),
    • Duration of time spent in the facility, and
    • Whether the individual may have potentially come into contact with a contagious person while visiting the facility.

Record Source Categories: The information in this system is collected in part directly from the individual. Information is also collected from security systems monitoring access to NCUA facilities, such as video surveillance and turnstiles, human resources systems, emergency notification systems, and Federal, State, and local agencies assisting with the response to a public health emergency. Information may also be collected from property management companies responsible for managing office buildings that house NCUA facilities.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the NCUA as a routine use as follows:

  1. To appropriate Federal, State, local and foreign authorities responsible for investigating or prosecuting a violation of, or for enforcing or implementing a statute, rule, regulation, or order issued, when the information indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto;
  2. To an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee. Further, a record from any system of records may be disclosed as a routine use to the Office of Personnel Management in accordance with the agency’s responsibility for evaluation and oversight of Federal personnel management;
  3. To a court, magistrate, or other administrative body in the course of presenting evidence, including disclosures to counsel or witnesses in the course of civil discovery, litigation, or settlement negotiations or in connection with criminal proceedings, when the NCUA is a party to the proceeding or has a significant interest in the proceeding, to the extent that the information is determined to be relevant and necessary;
  4. To contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for the NCUA when necessary for the purpose of assisting the NCUA’s response to a public health emergency;
  5. To appropriate agencies, entities, and persons when (1) the NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by the NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm;
  6. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach;
  7. To a Federal, State, or local agency to the extent necessary to comply with laws governing reporting of infectious disease; and
  8. To members of Congress in response to requests made at the request of and on behalf of their constituents.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by the NCUA’s Office of the Chief Information Officer (OCIO), within FedRAMP-authorized commercial Cloud Service Providers’ (CSP) Software-as-a-Service solutions hosting environments and accessed only by authorized personnel. No paper files are maintained.

Policies and Practices for Retrieval of Records: Records may be retrieved by any of the following: name, office, or e-mail address.

Policies and Practices for Retention and Disposal of Records: Records are maintained and disposed of in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

Administrative, Technical and Physical Safeguards: The NCUA and the Cloud Service Provider have implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and the NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including Office of Management and Budget (OMB) Circular A-130 and National Institute of Standards and Technology (NIST) Special Publications 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with the NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with the NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

History: This is a new system.

NCUA-25

System Name and Number: Reasonable Accommodations Records–NCUA-25

Security Classification: Unclassified.

System Location: The system is operated and maintained at the National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314. Records may be located in locked cabinets and offices, on NCUA’s local area network, or in authorized cloud service providers.

System Manager(s): Chief Human Capital Officer and Director of the Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314.

Authority for Maintenance of the System: 12 U.S.C. 1751, et. seq., The Rehabilitation Act of 1973, 29 U.S.C. 701, 791, 794; Title VII of the Civil Rights Act of 1964, 42 U.S.C. 2000e; 29 CFR 1605 (Guidelines on Discrimination Because of Religion); 29 CFR 1614 (Federal Sector Equal Employment Opportunity); 29 CFR 1614 (Regulations to Implement the Equal Employment Provisions of the Americans With Disabilities Act); 5 U.S.C. 302, 1103; Executive Order 13164, Requiring Federal Agencies to Establish Procedures to Facilitate the Provision of Reasonable Accommodation (July 26, 2000); and Executive Order 13548, Increasing Federal Employment of Individuals with Disabilities (July 26, 2010).

Purpose(s) of the System: This system of records is maintained for the purposes of:

  1. Collecting and maintaining records on NCUA applicants for employment, employees, and other individuals who participate in NCUA programs or activities and who request or receive reasonable accommodations or other appropriate modifications from the NCUA for medical or religious reasons;
  2. To process, evaluate, and make decisions on individual requests and;
  3. To track and report the processing of such requests agency-wide to comply with applicable requirements in law and policy.

Categories of Individuals Covered by the System: Individuals covered by this system are (1) Applicants for Federal employment and (2) Federal employees who requested and/or received reasonable accommodations or other appropriate modifications from the NCUA for medical or religious reasons and; (3) other individuals who participate in NCUA programs or activities and who request or receive reasonable accommodations or other appropriate modifications from the NCUA for medical or religious reasons.

Categories of Records in the System: Records in the system may contain:

  • Requester’s name;
  • Requester’s status (applicant, current employee);
  • Requester’s position title, series, grade;
  • Requester’s supervisor’s name;
  • Requester’s contact information (addresses, phone numbers, and email addresses);
  • Description of the requester’s medical condition or disability and any medical documentation provided in support of the request;
  • Medical provider’s name and contact information;
  • Requester’s statement of a sincerely held religious belief and any additional information provided concerning that religious belief and the need for an accommodation to exercise that belief;
  • The name/contact information of an individual’s religious or spiritual advisor;
  • Description of the accommodation being requested;
  • Description of previous requests for accommodation;
  • Whether the request was made orally or in writing;
  • Whether the request for reasonable accommodation was granted or denied, and if denied, the reason for the denial;
  • The amount of time taken to process the request;
  • The sources of technical assistance consulted in trying to identify a possible reasonable accommodation;
  • Any reports or evaluations prepared in determining whether to grant or deny the request;
  • Any other information collected or developed in connection with the request for a reasonable accommodation.
  • Decision-Maker’s name/signature and;
    Disability Program Manager’s name/signature.

Record Source Categories: The information in the system is obtained from the individuals who request and/or receive a reasonable accommodation or other appropriate modification from the NCUA, directly or indirectly from an individual’s medical provider or another medical professional who evaluates the request, directly or indirectly from an individual’s religious or spiritual advisors or institutions, and from management officials. Whenever practicable, the NCUA collects information about an individual directly from that individual.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. § 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. To a Federal agency or entity authorized to procure assistive technologies and services in response to a request for reasonable accommodation.
  2. To first aid and safety personnel if the individual’s medical condition requires emergency treatment.
  3. To another Federal agency or oversight body charged with evaluating NCUA’s compliance with the laws, regulations, and policies governing reasonable accommodation requests.
  4. To another Federal agency pursuant to a written agreement with NCUA to provide services (such as medical evaluations), when necessary, in support of reasonable accommodation decisions.
  5. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.
  6. A record from a system of records may be disclosed as a routine use to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee. Further, a record from any system of records may be disclosed as a routine use to the Office of Personnel Management in accordance with the agency's responsibility for evaluation and oversight of federal personnel management.
  7. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained.
  8. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation.
  9. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation.
  10. A record from a system of records may be disclosed to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program.
  11. To appropriate agencies, entities, and persons when (1) the NCUA suspects or has confirmed that there has been a breach of the system of records;·(2) the NCUA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the NCUA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the NCUA’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
  12. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

Policies and Practices for Retrieval of Records: Records may be retrieved by any of the following: name, case number, or e-mail address.

Policies and Practices for Retention and Disposal of Records: Records are maintained in accordance with GRS 2.3 and are destroyed three years after separation from the agency or all appeals are concluded, whichever is later, but longer retention is authorized if requested for business use.

Administrative, Technical and Physical Safeguards: NCUA and the Cloud Service Provider have implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub.L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including OMB Circular A-130 and NIST Special Publications 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

History: This is a new system.

NCUA-26

System Name and Number: NCUA-26, Prospective Official Application Records.

Security Classification: Unclassified.

System Location: National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

System Manager(s): Director, Office of Credit Union Resources and Expansion, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Authority for Maintenance of the System: 12 U.S.C. 1754 and 12 CFR Part 701.

Purpose(s) of the System: The NCUA uses information maintained in this system to carry out its statutory and other regulatory responsibilities, including evaluating the general character and fitness of prospective officials and employees of proposed federal credit unions and proposed federally insured state-chartered credit unions, and evaluating that applicants have requisite skills and commitment to dedicate time and effort to operate a successful credit union.

Categories of Individuals Covered by the System: Individuals, such as prospective officials and employees, or other persons who are subject to background checks designed to evaluate the general character and fitness bearing on the individual’s fitness to be an official or employee of a proposed federal credit union or a proposed federally insured state-chartered credit union.

Categories of Records in the System: Records in the system include name, contact information, date of birth, and Social Security numbers of individuals proposed as either officials or management employees of proposed federal credit unions or proposed federally insured state-chartered credit unions. Records may also include interagency or intra-agency correspondence or memoranda; suspicious activity reports; federal, state, or local criminal law enforcement agency investigatory reports, indictments and/or arrest and conviction information; reporting agency credit reports; adverse credit records (e.g., bankruptcies, liens, judgments); administrative enforcement orders or agreements. Records also include actions taken by the NCUA in connection with these proposals.

Record Source Categories: The information in the system is obtained from individuals named in notices filed pursuant to 12 CFR 701 Appendix B, federal or state financial regulatory agencies, criminal law enforcement authorities, credit bureaus, and NCUA personnel.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. A record from a system of records may be disclosed as a routine use to third parties to the extent necessary to obtain information that is relevant to an investigation of an individual’s general character and fitness;
  2. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto;
  3. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;
  4. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  5. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  6. A record from a system of records may be disclosed as a routine use to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees;
  7. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; and
  8. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

Policies and Practices for Retrieval of Records: Records may be retrieved by the name of an individual covered by the system.

Policies and Practices for Retention and Disposal of Records: Records are maintained and disposed in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

Administrative, Technical and Physical Safeguards: NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including OMB Circular A-130 and NIST Special Publication 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: Federal criminal law enforcement investigatory reports maintained as part of this system may be subject of exemptions imposed by the originating agency pursuant to 5 U.S.C. 552a(j)(2).

History: This is a new system.

NCUA-27

System Name and Number: NCUA-27, NCUA General Support System Records.

Security Classification: Unclassified.

System Location: National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

System Manager(s): Chief Information Officer, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

Authority for Maintenance of the System: 12 U.S.C. 1751 et seq. and 40 U.S.C. 11331.

Purpose(s) of the System: The information in the system is being collected to enable the NCUA to provide authorized individuals access to NCUA information technology resources. The system enables the NCUA to maintain account information required for approved access to information technology, lists of individuals seeking or receiving access to NCUA information technology or equipment, and lists of individuals who are appropriate organizational points of contact. The information will also be used for administrative purposes to ensure quality control, performance, and improving management processes.

Categories of Individuals Covered by the System: Categories of individuals covered by this system include all persons who are authorized to access NCUA information technology resources, including: (1) Employees, contractors, and any lawfully designated representatives of federal, state, territorial, tribal, or local government agencies or entities, in furtherance of the NCUA’s mission; (2) individuals who have business with the NCUA and who have provided personal information in order to facilitate access to NCUA information technology resources; and (3) individuals who are points of contact provided for government business, operations, or programs.

Categories of Records in the System: Records in this system may contain data relating to individuals, including but not limited to: name; telephone numbers, including business, cellular, and home numbers; level of access; home or other provided address for the receipt of issued IT equipment or resources; email addresses of senders and recipients; records of access to NCUA computers and networks including equipment issued, user ID and passwords, date(s) and time(s) of access, IP address of access, logs of internet activity and records on the authentication of the access request; records of identity management related to individual user’s request including universal resource locator of individual’s chosen identity assurance certificate provider and response from certificate provider of positive or negative authentication; and positions or titles of contacts, their business or organizational affiliations, and other contact information provided to the NCUA that is derived from other sources to facilitate authorized access to NCUA Information Technology resources. The information in this system includes information relating to system access and does not include the data held within the systems or information technology resources to which access or interaction is sought.

Record Source Categories: Information in this system is obtained from individuals and entities associated with or granted access to NCUA information technology resources.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.
  2. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;
  3. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, that in each case, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.
  4. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, NCUA determines that disclosure of the records is compatible with the purpose for which the records were collected.
  5. A record from a system of records may be disclosed to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees.
  6. Records may be disclosed to the Department of Homeland Security (DHS) if captured in an intrusion detection system used by NCUA and DHS pursuant to a DHS cybersecurity program that monitors internet traffic to and from federal government computer networks to prevent cybersecurity incidents;
  7. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
  8. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), and accessed only by authorized personnel.

Policies and Practices for Retrieval of Records: Records are retrievable by a variety of fields including the individual's name or username.

Policies and Practices for Retention and Disposal of Records: Records are maintained and disposed in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA).

Administrative, Technical and Physical Safeguards: NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable federal laws and regulations, including Office of Management and Budget Circular A-130 and NIST Special Publication 800-37.

Record Access Procedures: Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: None.

History: This is a new system.

NCUA-28

System Name and Number: Anti-Harassment Case Tracking and Records, NCUA-28.

Security Classification: Unclassified.

System Location: National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

System Manager: Anti-Harassment Coordinator, Office of Ethics Counsel, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

Authority for Maintenance of the System: 12 U.S.C. 1751, et seq.; Title VII of the Civil Rights Act of 1964, 42 U.S.C. 2000e, et seq.; Age Discrimination in Employment Act of 1967, 29 U.S.C. 621, et seq.; Americans with Disabilities Act, 42 U.S.C. 12101, et seq., including ADA Amendments Act of 2008; Rehabilitation Act of 1973 (Section 501), 29 U.S.C. 791; Notification and Federal Employee Antidiscrimination and Retaliation Act of 2002 (No FEAR Act), Public Law 107-174; Genetic Information Nondiscrimination Act of 2008 (GINA), Public Law 110-233; Executive Order 13087; Executive Order 13152; and further amendments to Executive Order 11478, Executive Order 11246, and EEOC Enforcement Guidance: Vicarious Employer Liability for Unlawful Harassment by Supervisors, Notice 915.002, V.C.1 (June 18, 1999).

Purpose(s) of the System: The information in the system is collected to assist the NCUA with conducting internal investigations into allegations of harassment brought by NCUA employees and NCUA contractors and taking appropriate action(s) to address such allegations.

Categories of Individuals Covered by the System: NCUA employees and NCUA contractors who have submitted complaints or reports of harassment or who have provided information related to an investigation of workplace harassment and NCUA employees and contractors who have been accused of harassment.

Categories of Records in the System: Records in the system include complaints of harassment, statements of witnesses, reports of investigation, investigator's and Chief Ethics Officer’s findings and recommendations, final decisions and corrective action taken, and related correspondence and exhibits. These records include names of the alleged victim, harasser and witnesses, their contact information, and the specific circumstances relevant to the harassment.

Record Source Categories: The information in this system is collected directly from individuals.

Routine Uses of Records Maintained in the System, Including Categories of Users and Purposes of Such Uses: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the NCUA as a routine use as follows:

  1. To disclose information as necessary to any source from which additional information is requested in the course of processing a complaint or report of harassment.
  2. To provide to the alleged harasser information in the event of a disciplinary hearing.
  3. A record from a system of records may be disclosed as a routine use to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator, or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee. Further, a record from any system of records may be disclosed as a routine use to the Office of Personnel Management in accordance with the agency's responsibility for evaluation and oversight of federal personnel management.
  4. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether federal, state, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto.
  5. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;
  6. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation, provided, however, that in each case, NCUA determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected.
  7. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear: (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  8. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  9. A record from a system of records may be disclosed as a routine use to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees;
  10. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when: (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; and
  11. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in: (1) responding to a suspected or confirmed breach; or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

Policies and Practices for Storage of Records: Electronic records and backups are stored on secure servers, approved by the NCUA’s Office of the Chief Information Officer (OCIO), and accessed only by authorized personnel.

Policies and Practices for Retrieval of Records: Records may be retrieved by any of the following: name of the individual who files a complaint or report of harassment, name of the alleged victim of harassment, if any, and name of the alleged harasser.

Policies and Practices for Retention and Disposal of Records: Records are maintained and disposed of in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

Administrative, Technical and Physical Safeguards: NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and the NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein. Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures. The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including Office of Management and Budget (OMB) Circular A-130 and NIST Special Publication 800-37.

Record Access Procedures: After an individual receives verification that they have a record in the system, per the notification procedure above, if they wish to access to their records, they should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with the NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Contesting Record Procedures: Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

Notification Procedures: Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf. Individuals requesting access must also comply with the NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

Exemptions Promulgated for the System: This system is exempt under 5 U.S.C. 552a(k)(2) from subsections (c)(3), (d), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I) and (f) of the Act.

History: This is a new system.

NCUA-29

SYSTEM NAME AND NUMBER:  Non-Payroll Employee Administrative Records, NCUA-29.

SECURITY CLASSIFICATION:  Unclassified.

SYSTEM LOCATION:  National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428.

SYSTEM MANAGER(S):  Director, Office of Human Resources, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:  12 U.S.C. 1766.

PURPOSE(S) OF THE SYSTEM:  The purpose of this system is to collect and maintain information used for non-payroll personnel actions and for human resources administrative purposes, including administering supplemental benefits, employee assistance programs, and work-life programs.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: To the extent not covered by any other system, this system covers current and former NCUA employees, dependents, and beneficiaries who are enrolled in, apply for, or participate in one or more of NCUA employee benefit programs.

CATEGORIES OF RECORDS IN THE SYSTEM:  Records in the system include Individual name, Social Security number (SSN), employee ID number, Taxpayer Identification Number (TIN), or similar. Records may also include home and work contact information, including address, telephone number, and email address; information related to an employee’s participation in supplemental retirement, health, and benefit programs, including salary information, contribution amount(s), dependents and beneficiary names, addresses, relationship, and Social Security number(s); information about student loans related to the student loan repayment benefit, including type of loan, loan account number, loan holder name and address, total loan amount and amount outstanding; and service agreement information; and receipts and similar documentation provided as evidence of expenditures for reimbursement through supplemental benefits, employee assistance and work-life programs.

RECORD SOURCE CATEGORIES:  The information in this system is obtained from current and former NCUA employees and from entities associated with benefits and work-life programs including retirement, human resources functions, accounting, and payroll systems administration.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:  In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, these records or information contained therein may specifically be disclosed outside the NCUA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

  1. A record from a system of records may be disclosed as a routine use to carriers, providers, and other Federal agencies involved in the administration of employee benefit programs and such agencies’ contractors or plan administrators, when necessary to determine employee eligibility to participate in such programs, process employee participation in such programs, audit benefits paid under such programs, or perform any administrative function in connection with those programs;
  2. A record from a system of records may be disclosed as a routine use to Federal, state, and local taxation authorities concerning compensation to employees or to contractors; to the Office of Personnel Management, Department of the Treasury, Department of Labor, and other Federal agencies concerning pay, benefits, and retirement of employees; to financial organizations concerning employee allotments to accounts; and to heirs, executors, and legal representatives of beneficiaries;
  3. If a record in a system of records indicates a violation or potential violation of civil or criminal law or a regulation, and whether arising by general statute or particular program statute, or by regulation, rule, or order, the relevant records in the system or records may be disclosed as a routine use to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, rule, regulation, or order issued pursuant thereto;
  4. A record from a system of records may be disclosed as a routine use to a member of Congress or to a congressional staff member in response to an inquiry from the congressional office made at the request of the individual about whom the record is maintained;
  5. Records in a system of records may be disclosed as a routine use to the Department of Justice, when: (a) NCUA, or any of its components or employees acting in their official capacities, is a party to litigation; or (b) Any employee of NCUA in his or her individual capacity is a party to litigation and where the Department of Justice has agreed to represent the employee; or (c) The United States is a party in litigation, where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  6. Records in a system of records may be disclosed as a routine use in a proceeding before a court or adjudicative body before which NCUA is authorized to appear (a) when NCUA or any of its components or employees are acting in their official capacities; (b) where NCUA or any employee of NCUA in his or her individual capacity has agreed to represent the employee; or (c) where NCUA determines that litigation is likely to affect the agency or any of its components, is a party to litigation or has an interest in such litigation, and NCUA determines that use of such records is relevant and necessary to the litigation;
  7. A record from a system of records may be disclosed as a routine use to contractors, experts, consultants, and the agents thereof, and others performing or working on a contract, service, cooperative agreement, or other assignment for NCUA when necessary to accomplish an agency function or administer an employee benefit program. Individuals provided information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to NCUA employees;
  8. A record from a system of records may be disclosed to appropriate agencies, entities, and persons when (1) NCUA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) NCUA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by NCUA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with NCUA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; and
  9. To another Federal agency or Federal entity, when the NCUA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:  Electronic records and backups are stored on secure servers, approved by NCUA’s Office of the Chief Information Officer (OCIO), within a FedRAMP-authorized commercial Cloud Service Provider’s (CSP) Software-as-a-Service solution hosting environment and accessed only by authorized personnel.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:  Records are retrievable by a variety of fields including, but not limited to, individual name, SSN, employee ID, or some combination thereof.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:  Records are maintained and disposed in accordance with the General Records Retention Schedules issued by the National Archives and Records Administration (NARA) or an NCUA records disposition schedule approved by NARA.

ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS:  NCUA has implemented the appropriate administrative, technical, and physical controls in accordance with the Federal Information Security Modernization Act of 2014, Pub. L. 113-283, S. 2521, and NCUA’s information security policies to protect the confidentiality, integrity, and availability of the information system and the information contained therein.  Access is limited only to individuals authorized through NIST-compliant Identity, Credential, and Access Management policies and procedures.  The records are maintained behind a layered defensive posture consistent with all applicable Federal laws and regulations, including Office of Management and Budget Circular A-130 and NIST Special Publication 800-37.

RECORD ACCESS PROCEDURES:  Individuals wishing access to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.  Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

CONTESTING RECORD PROCEDURES:  Individuals wishing to request an amendment to their records should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. A statement specifying the changes to be made in the records and the justification therefore.
  4. The address to which the response should be sent.
  5. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.

NOTIFICATION PROCEDURES:  Individuals wishing to learn whether this system of records contains information about them should submit a written request to the Senior Agency Official for Privacy, NCUA, 1775 Duke Street, Alexandria, VA 22314, and provide the following information:

  1. Full name.
  2. Any available information regarding the type of record involved.
  3. The address to which the record information should be sent.
  4. You must sign your request.

Attorneys or other persons acting on behalf of an individual must provide written authorization from that individual for the representative to act on their behalf.  Individuals requesting access must also comply with NCUA’s Privacy Act regulations regarding verification of identity and access to records (12 CFR 792.55).

EXEMPTIONS PROMULGATED FOR THE SYSTEM:  None.

HISTORY:  This is a new system.

Last modified on