12 CFR Part 748 Appendix A

NCUA Part 748 scan-to-email compliance for federally insured credit unions.

Appendix A of 12 CFR Part 748 requires every federally insured credit union to operate an Information Security Program that encrypts member information in transit over external networks. Multifunction printer scan-to-email is the largest transmission path most credit union programs have not yet registered. SecureMFP closes the obligation on every device in the fleet without a firmware change.

The regulation

What NCUA Part 748 requires for credit union information security

NCUA Part 748 is codified at 12 CFR Part 748 and applies to every federally insured credit union including federally chartered credit unions and federally insured state-chartered credit unions. Section 748.0 requires a written security program that protects each credit union office, ensures the security and confidentiality of member records, protects against anticipated threats or hazards, protects against unauthorized access or use that could result in substantial harm or inconvenience to any member, and supports compliance with the Bank Secrecy Act suspicious activity reporting framework. Appendix A is the operational implementation of the GLBA section 501(b) standards and lays out the elements every Information Security Program is examined against. The encryption-in-transit obligation lives inside Appendix A and reaches every transmission path the credit union uses to move member information including the multifunction printer fleet.

Appendix A mapped to the fleet

Part 748 Appendix A Guidelines for Safeguarding Member Information mapping for MFP scan-to-email

Appendix A is divided into four operational sections the credit union information security officer is examined against during the cycle. Section I sets the introduction and scope. Section II names the objectives that mirror GLBA section 501(b)(1) through 501(b)(3). Section III sets the Information Security Program elements including risk assessment, design and implementation of safeguards, oversight of service providers, and continuous adjustment. Section IV addresses member information disposal under the Fair and Accurate Credit Transactions Act. Multifunction printer scan-to-email is a transmission path that triggers every section. Section III.C.1.c specifically names encryption of member information in transit over external networks. SecureMFP closes the obligation by intercepting scan-to-email at a stateless gateway and replacing the plaintext SMTP hop with an encrypted transport channel and an authenticated recipient retrieval session.

Why the gap stayed hidden

Why MFP scan-to-email is the largest unaddressed gap in NCUA examinations

The FFIEC IT Examination Handbook Information Security booklet that NCUA examiners reference was last substantially updated in 2016, before scan-to-email became a routine financial-data transport. The control frameworks credit unions use to test their Information Security Programs were built around servers, core banking systems, online and mobile banking platforms, email gateways, and member-facing portals. Multifunction printers were peripherals, not transmission endpoints. The Quocirca 2024 Print Security Landscape research found just sixteen percent of organizations are completely confident in their print security while sixty-seven percent suffered a print-related breach in the past year. A typical mid-size credit union fleet of fifty multifunction printers averaging twenty-five scans per device per day sends roughly four hundred thousand plaintext transmissions of member information per year that the chief information security officer cannot attest to in the annual Appendix A board report.

The examiner walkthrough

The NCUA examiner walkthrough on scan workflows

NCUA examiners working an Appendix A Information Security Program review walk through every transmission path with the same four-question sequence federal banking examiners use under the Interagency Guidelines. The multifunction printer fleet is now in scope. Plaintext SMTP scan-to-email fails all four. The credit union that registers SecureMFP inside the program answers all four in a single audit log. The sequence below mirrors the FFIEC IT Examination Handbook.

Examiner questionWhat plaintext SMTP returns
Who sent this scan-to-email transmission?MFP header. Easily forged. No mutual authentication.
Who received this scan-to-email transmission?Recipient list. Partial. No retrieval confirmation.
Was the content encrypted device to recipient?Opportunistic TLS at best. Fallback to plaintext on many relays.
Can you produce one scan from 90 days ago for retention testing?Mailbox dependent. Often deleted. Uncontrolled at the recipient.
The workflows in scope

Common credit union scan workflows that touch member data

Credit unions move member information across multifunction printers every day in workflows that the Information Security Program risk assessment often does not enumerate. Loan origination files for auto loans, share-secured loans, signature loans, and home equity lines of credit move scanned identification, paystubs, tax returns, and employment verifications. New-membership packets carry the Patriot Act customer identification documents and the share-account opening signature cards. Beneficiary designations for individual retirement accounts and share certificates carry full names, addresses, and Social Security numbers. Wire-transfer authorizations carry routing information and member signatures. Indirect-lending packages from auto dealers and home-improvement contractors arrive by fax-to-email at the lending department. Each of these workflows produces multiple plaintext SMTP transmissions per member file. Each is in scope under Appendix A. SecureMFP encrypts every one of them at the device.

Control-by-control mapping

How SecureMFP maps to Appendix A.III Information Security Program elements

SecureMFP intercepts scan-to-email at a stateless gateway between the multifunction printer fleet and the mail relay. Plaintext SMTP becomes encrypted transport with mutual authentication. The mapping below ties each control surface to the Appendix A.III element the examiner references during the walkthrough.

Appendix A.III elementSecureMFP control surface
III.A Involve the board of directorsBoard-report language supplied annually with the scan-to-email control summary.
III.B Assess riskScan-to-email risk-assessment delta supplied at deployment for ISP integration.
III.C.1 Manage and control riskEncrypted transport replaces plaintext SMTP for every scan transmission.
III.C.1.c Encryption in transitMutual authentication on every scan path, no fallback to plaintext.
III.D Oversee service providersBotdoc SOC 2 Type II evidence supplied for the vendor management file.
III.E Adjust the programControl language updated each year for the annual ISP refresh cycle.
III.F Report to the boardPer-document audit log produces evidence for the annual board report.
Deployment for credit unions

Credit-union-specific deployment notes, fleet size, and league overlap

Community credit unions typically operate between ten and forty multifunction printers across the main office and branch network. Mid-size credit unions in the one billion to five billion dollar asset range typically operate between forty and two hundred devices. Multi-state credit unions and federal-credit-union service organizations often exceed two hundred devices. Most credit unions run a managed print services contract with a regional or national copier reseller covering HP, Xerox, Ricoh, Konica Minolta, Canon, Lexmark, Sharp, Kyocera, Brother, and Toshiba. SecureMFP is brand-agnostic, sits between the fleet and the mail relay, and deploys in five minutes per device with no firmware change required. State-league overlap including the California Credit Union League, the Cornerstone League, and the Michigan Credit Union League tracks the Appendix A obligation. The control-language draft satisfies both the state regulator and the NCUA examiner.

FAQ, the regulation

What Part 748 covers and how it relates to GLBA section 501(b)

Part 748 is the NCUA implementation of GLBA section 501(b) for federally insured credit unions. Appendix A is the operational implementation of the safeguards principle and the language examiners use during the cycle. The Section III.C.1.c encryption-in-transit obligation reaches every transmission path the credit union uses to move member information including the multifunction printer fleet.

What does NCUA Part 748 require for credit union scan-to-email?

12 CFR Part 748 Appendix A Section III.C.1.c requires encryption of member information in transit over external networks. Scan-to-email transmissions from multifunction printers move member information over plaintext SMTP, which does not satisfy the encryption obligation. The examiner asks how the principle is satisfied for every transmission path, and the multifunction printer fleet is a transmission path that most Information Security Programs have not registered.

FAQ, scope and devices

Whether multifunction printers fall inside Part 748 scope

The regulation does not enumerate device classes. The principle reaches every transmission path that moves member information across an external network. The multifunction printer fleet is in scope by function, the same way servers, laptops, and email gateways are in scope. The exam walkthrough now asks about scan-to-email, fax-to-email, and scan-to-folder paths the prior cycle did not test. Most Information Security Programs have not yet registered the fleet as a transmission endpoint.

Does the NCUA name multifunction printers in Part 748?

No. Appendix A uses principle-based language. The Guidelines require encryption in transit and access controls without enumerating device classes. Multifunction printers fall in scope because they process and transmit member information. The examiner asks how the principle is satisfied for every transmission path including scan-to-email, fax-to-email, and scan-to-folder.

FAQ, state and league overlap

How state regulators and credit union leagues view the obligation

State-chartered credit unions answer to both the state regulator and the NCUA on federal-insurance scope. State leagues track the same examiner expectations and publish operational guidance to their member credit unions. The encryption-in-transit obligation appears in state-level safeguards language, in the NCUA Appendix A federal text, and in the audit work papers that external compliance consultants reference during the engagement. The control-language draft fits both surfaces and travels with the audit-firm relationship.

What state regulators overlay Part 748?

State-chartered credit unions are examined by their state regulator and, where federally insured, by the NCUA. State leagues including the California Credit Union League, the Cornerstone League, and the Michigan Credit Union League track examiner expectations on the Information Security Program. The encryption-in-transit obligation appears in both state and federal exam scope. The control-language draft fits both.

FAQ, deployment

How deployment fits a typical credit union fleet

The five-minute-per-device deployment scales to most credit union fleets inside two to four weeks. The managed print services contract is preserved. No firmware change is required. The channel partner handles deployment and operations while the information security officer gets the audit-trail console and the control-language draft for the next exam.

What is a typical credit union multifunction printer fleet size?

Community credit unions typically operate ten to forty multifunction printers across the main office and branches. Mid-size credit unions in the one billion to five billion dollar asset range typically operate forty to two hundred devices. Multi-state credit unions and federal-credit-union service organizations often exceed two hundred devices. The five-minute-per-device deployment scales to the full fleet inside a typical two-to-four-week rollout window.

FAQ, managed print services

Whether SecureMFP works with the existing managed print services contract

The managed print services contract, the copier lease, and the fleet are unchanged. SecureMFP sits between the fleet and the mail relay as a stateless gateway. The channel partner runs deployment and operations. The credit union information security officer takes ownership of the audit-trail console and the Information Security Program control-language register. The relationship with the existing managed print services provider continues. The Botdoc SOC 2 Type II report covers service-provider oversight obligations.

Does SecureMFP work with our managed print services provider?

Yes. SecureMFP is brand-agnostic across HP, Xerox, Ricoh, Konica Minolta, Canon, Lexmark, Sharp, Kyocera, Brother, and Toshiba. The managed print services contract, the copier lease, and the fleet are unchanged. The channel partner running the managed print services contract handles deployment and operations. The credit union information security officer gets the audit-trail console and the control-language draft.

FAQ, the walkthrough

What NCUA examiners ask about scan-to-email and how the control responds

The walkthrough on scan-to-email is a four-question sequence. The Appendix A.III mapping is the response in a single audit log. The four questions cover sender authentication, recipient confirmation, encryption from device to recipient, and retention sampling at ninety days. Plaintext SMTP fails all four reliably. The credit union with SecureMFP registered inside the Information Security Program answers all four in evidence the examiner accepts on first request.

What does the NCUA examiner ask about scan-to-email?

Four questions. Who sent the transmission. Who received it. Was the content encrypted from the device to the recipient. Can a retention sample from ninety days ago be produced for testing. Plaintext SMTP cannot answer any of the four reliably. The credit union that registers SecureMFP inside the Information Security Program answers all four in a single audit log. The examiner records the control as in place.

FAQ, enforcement

How the NCUA enforces Part 748 and where the scan-to-email obligation is trending

The NCUA enforces through the exam cycle, management letters, Documents of Resolution, and civil money penalties under federal statute. The encryption-in-transit obligation has historically been examiner-discretion language under the principle-based framework. Industry analyst data and the FFIEC IT Examination Handbook refresh cycle are pulling scan-to-email into the standard walkthrough across the federally insured credit union population. Credit unions registering the control proactively get a smoother management letter outcome.

Will Part 748 enforcement reach scan-to-email?

The NCUA enforces Part 748 through the examination cycle, management letters, Documents of Resolution, and civil money penalties under 12 USC 1786 and 1789. The encryption-in-transit obligation is examiner-discretion language today. Industry analyst data and the FFIEC IT Examination Handbook refresh cycle are pulling scan-to-email into the standard walkthrough. The credit unions that pre-register the control get a smoother exam.

FAQ, exam cycle

How the eight to sixteen month NCUA exam cycle shapes the timing

The exam cycle is shorter than the federal banking cycle. The control-language draft and the audit log are designed to drop straight into the cycle. Credit unions pre-registering the control inside the Information Security Program before the next cycle answer the four examiner questions in evidence the first time the walkthrough lands.

How does Part 748 relate to GLBA section 501(b)?

Part 748 is the NCUA implementation of GLBA section 501(b) for federally insured credit unions. The Interagency Guidelines under federal banking regulators and Part 748 Appendix A under the NCUA share the same statutory parent and the same encryption-in-transit obligation. Examiner language is similar. The exam cycle for credit unions is typically eight to sixteen months depending on asset size and CAMELS composite.

Talk to a specialist

Talk to a SecureMFP specialist about your Part 748 obligations

A SecureMFP specialist will walk through the 12 CFR Part 748 Appendix A mapping for your specific multifunction printer fleet, supply the Information Security Program control-language draft your compliance officer can register, and coordinate with your NCUA examiner or external audit firm ahead of the next exam cycle. Thirty minutes is the standard slot. The walkthrough covers the Appendix A.III.A through III.F per-element mapping for scan-to-email, the examiner four-question response evidence, the annual board-report language, and the service-provider oversight evidence the cycle requires. Forward-thinking community, mid-size, and federal-credit-union service organizations are closing the gap before the next exam cites it. The standard rollout is two to four weeks for a typical fleet, with five minutes per device on site.