On June 15, 2026, the National Credit Union Administration (NCUA) issued a final rule on 12 CFR Part 749 – Vital Records Preservation Program. The final rule is effective July 16, 2026. 

Under the rule, federally insured credit unions are required to "maintain a vital records preservation program to identify, store, and reconstruct vital records in the event such records are destroyed." 

Sounds simple in theory, but what does this look like in practice? Here are five steps a credit union can follow to comply with this updated rule. 

Step 1: Identify Your Vital Records Under NCUA Part 749 

The golden rule of information security: "You can't protect your data if you don't know where it lives." 💛 

According to the rule, vital records are "the most recent and current versions of the records a credit union needs to restore vital member services." At a minimum, this includes: 

Timeframe 

Data Type 

Details 

End of business day 

Member balances and contact information 

A list of share, deposit, and loan balances for each account that includes individual balances identified by a name or number, multiple loans separately, and a way to contact each member (e.g., address, phone number, etc.). 

End of month 

Financial reports and bank reconcilements 

A list of all credit union asset and liability accounts, as well as records confirming the internal books match external statements. 

End of month 

Key account information 

A list of the credit union's own financial accounts, insurance policies, investment listings, and related contact details. 

As needed 

Emergency contact info 

Contact info for employees, officials, regulatory offices, and vendors 

Updated as needed 

Other vital records 

Anything else the credit union determines should be treated as "vital" based on its operations. 

 

What Changed? 

In the previous version of the rule, Appendix A provided guidance on records that should be retained permanently, including charters and bylaws, board and committee meeting minutes, financial reports, audit reports, membership applications, and general ledgers, to name a few. The updated rule removes Appendix A entirely, narrowing the scope to the records a credit union needs to restore vital member services. 

While records like charters, bylaws, and other foundational documents fall outside that definition, they should continue to be retained as part of normal governance and legal recordkeeping. 

How Can Tandem Help? 

With Tandem Risk Assessment you can create a list of data types (e.g., account balances, financial reports, contact information), assign a data classification, and associate the types with applicable asset records. Tandem can help you keep track of where your data lives, so you can find it when you need it most. 

Step 2: Create a Written Vital Records Preservation Program 

If you've worked in compliance for long, you've probably heard some form of the phrase: "… but did you document it?" That's what this step is about. 

Within six months of getting NCUA insurance, the Board of Directors is expected to establish a written vital records preservation program. According to the rule, the program must: 

  • Define Procedures: Details on how to maintain duplicate vital records at a "vital records center." (More on that in Step 3. ⬇️) 
  • Designated Staff: The people responsible for vital records preservation. This is likely not going to be a single person and could include the data owner(s), the people actually doing the backups, compliance personnel, and/or other third parties. 
  • Storage & Destruction Schedule: Basically, how often are the required data types updated/stored, and when can the old version(s) be destroyed? For example, if you are backing up member account balances daily, then you could destroy the prior version upon confirmation of the next day's storage. (Of course, you may want to keep it longer, but that would be a decision for the credit union to make based on factors like risk, the technology environment, third-party capabilities, and other record retention requirements.) 
  • Records Preservation Log: A record that will "aid in locating and easily accessing the vital records." There are no other specifics provided by the rule, but that feels like a good segue… 

What Changed? 

Records Preservation Log: The previous version of the rule was very prescriptive, requiring the records preservation log to capture things like the record's name, storage location, storage date, and the name of the person sending it for storage. The new rule simply requires a log, leaving the format and content up to the credit union. 

Permission to Destroy: The new rule allows credit unions to destroy older versions of vital records once current versions are stored, unless other retention requirements apply. Think of Marie Kondo standing in your datacenter, pulling up an outdated record and saying, "This does not bring me joy." If the current version is safely stored, you now have explicit permission to thank it for its service and let it go.

How Can Tandem Help? 

Tandem Policies includes template Data Management and Data Backup policies built on NCUA and FFIEC guidance. Together, they cover the full data management lifecycle (i.e., creation, storage, use, retention, and destruction), as well as the technical specifics of managing and protecting backups. Use them as the foundation of your vital records preservation program, tailor them to your environment, and track Board approval to demonstrate oversight. 

Step 3: Keep Duplicate Records Offsite 

Your records must be stored in a "vital records center" (yes, the same one I mentioned earlier ⬆️). A vital records center is an offsite location that must be geographically separate enough that a single catastrophic event can't take out both the primary and backup records at the same time. 

The good news is that you have a lot of flexibility here. The regulations don't prescribe a specific type of facility. This means, your vital records center could be: 

  • An alternate credit union datacenter
  • Another federally insured credit union (with appropriate data segregation controls, of course)
  • A third-party vendor (like a data processor or cloud service provider)
  • Any other storage facility that meets the geographic requirement 

What Changed? 

There's a new third-party oversight obligation, but we'll cover that next.

How Can Tandem Help? 

Use Tandem Business Continuity Planning to create Backup Profiles for your systems and data. Document everything that matters: backup frequency, media types, storage locations, security and access controls, versioning, and restoration plans. Connect your systems with Tandem's Risk Assessment product to put your backup program in full context. 

If you need additional assistance, CoNetrix Technology  is a Tandem Partner that specializes in providing managed IT services, including backup and recovery through their Aspire Cloud Hosting service. Learn more about how CoNetrix Technology can help you at CoNetrix.com/Technology.

Step 4: Manage Your Third-Party Service Providers 

Vendor Oversight: If using a third-party vendor as the vital records center, the rule requires credit unions to maintain "effective oversight" of that vendor to ensure the records meet the rule's requirements. 

While the regulation does not define what constitutes "effective oversight," the NCUA has published guidance on Evaluating Third-Party Relationships (SL 07-01). According to the guidance, the third-party risk management process typically includes planning and risk assessment, due diligence and selection, contract structure and review, ongoing monitoring (think: periodic reviews and testing restoration procedures), and planning for termination. 

Learn more in the Tandem Vendor Management Workbook

Contract Clause: If the credit union uses a third-party service provider to maintain vital records, the service agreement must specify that the vendor safeguards against the simultaneous destruction of production and backup records. (This is particularly relevant when the same vendor serves as both the primary and backup storage provider, but could apply in other circumstances, as well.)

What Changed? 

This section is mostly new. The previous version of the rule allowed for outsourcing, but stopped there. The new rule requires effective oversight and the contract clause. 

In practice, this means the credit union's responsibility doesn't stop when the contract gets signed. Instead, it's the credit union's responsibility to actively monitor the vendor and make sure they are holding up their end of the bargain. 

How Can Tandem Help? 

Tandem Vendor Management is a third-party risk management platform. Demonstrate effective oversight by creating third-party service records, documenting risk assessments, storing contact information, uploading contracts, and performing reviews of relevant third-party relationships.

Step 5: Make Sure Records are Accessible and Usable 

Last, but certainly not least, the credit union is required to ensure the records are accessible and usable. The three core usability requirements are identical in both versions of the rule. The records must: 

  • Accurately reflect the information in the record.
  • Be accessible to all persons entitled to access.
  • Be capable of reproduction by transmission, printing, or otherwise. 

This means if anyone needs to get access to the record (examiners included), the credit union should have the tools and capabilities to ensure they can do so in a timely and effective manner. (No cold storage. 🥶) 

What changed? 

Nothing changed here. Just a couple of minor grammar updates. 

How Can Tandem Help? 

While this topic is operational in nature, it is addressed in the Tandem Policies  template Data Backup policy. The policy implementation procedures require credit unions to restore data from a backup on a regular basis as part of the credit union's BCP exercise and testing program.  

Use Tandem Business Continuity Planning to perform exercises and tests. Use the template scenarios or create your own, and use the software to set reminders, record lessons learned, and generate professional documentation.

Frequently Asked Questions

  1. What is NCUA 12 CFR Part 749?
    NCUA 12 CFR Part 749 is a federal regulation that requires federally insured credit unions to maintain a vital records preservation program to identify, store, and reconstruct vital records in the event they are destroyed.

  2. When did the updated NCUA Part 749 rule take effect?
    The updated rule was published on June 15, 2026 and is effective July 16, 2026. 

  3. Who does NCUA Part 749 apply to?
    Part 749 applies to all federally insured credit unions (FICUs).

  4. What changed in the updated NCUA Part 749 rule?
    The updated rule narrowed the scope of Part 749 to focus specifically on vital records preservation, removed Appendix A (record retention guidelines) and Appendix B (catastrophic act preparedness guidelines), added an explicit vendor oversight obligation, clarified that older versions of vital records may be destroyed once current versions are stored, and gave credit unions more flexibility in how they maintain their records preservation log.

  5. Did the NCUA remove Appendix A and Appendix B from Part 749?
    Yes. The updated rule removes both appendices. Appendix A provided general record retention guidance, and Appendix B provided catastrophic act preparedness guidelines. The NCUA has indicated it may issue separate guidance on some of the topics previously covered in these appendices. 

  6. What are "vital records" under NCUA Part 749?
    Vital records are the most recent and current versions of the records a credit union needs to restore vital member services. They include member account balances and contact information (as of the most recent business day); a financial report and bank reconcilements (as of the most recent month-end); a list of the credit union's financial accounts, insurance policies, and investments; and emergency contact information for employees, officials, regulators, and vendors.

  7. How often do vital records need to be updated?
    Member account balances must be current as of the most recent business day. Financial reports, bank reconcilements, and account/investment listings must be current as of the most recent month-end. Emergency contact information should be kept current and updated, as needed.

  8. Can a credit union designate additional records as vital?
    Yes. The rule allows credit unions to classify additional records as vital and to retain older versions of any vital records as they determine necessary based on their operations.

  9. What records no longer need to be retained permanently under the new rule?
    The updated rule removed Appendix A, which previously recommended permanent retention of records like charters, bylaws, meeting minutes, financial reports, audit reports, membership applications, and general ledgers. These records are no longer addressed in Part 749, but credit unions should continue to retain them as required by other applicable laws, regulations, and sound governance practices. 

  10. What must be included in a credit union's vital records preservation program?
    The written program must include procedures for maintaining duplicate vital records at a vital records center; designated staff responsible for vital records preservation; a storage and destruction schedule; and a records preservation log that aids in locating and accessing vital records. 

  11. What should a records preservation log include?
    The updated rule gives credit unions flexibility to design the log as they see fit, as long as it aids in locating and easily accessing vital records. It may be in electronic or any other format. 

  12. What is a "vital records center" under NCUA Part 749?
    A vital records center is an offsite storage facility located far enough from the credit union's offices to avoid the simultaneous loss of both primary and backup records in the event of a catastrophic act. 

  13. Can a credit union use a cloud service provider as its vital records center?
    Yes. The rule does not prescribe a specific type of facility, so a cloud service provider can serve as a vital records center as long as it meets the geographic separation requirement and the credit union maintains effective oversight of the provider. 

  14. How far away does the vital records center need to be?
    The rule does not specify a precise distance. The standard is that the location must be far enough away to avoid the simultaneous loss of both primary and backup records in the event of a catastrophic act. 

  15. What are the vendor oversight requirements under the updated Part 749?
    If a credit union contracts with a third-party service provider to maintain vital records, it must maintain effective oversight of that vendor to ensure the records continue to meet the requirements. 

  16. What does "effective oversight" of a third-party vendor mean under NCUA Part 749?
    The rule does not define "effective oversight," but the NCUA's third-party risk management guidance (SL 07-01) provides a framework that includes due diligence, contract review, ongoing monitoring, and periodic testing.

  17. What happens if a credit union outsources its vital records storage to a third party?
    The credit union remains responsible for ensuring the records meet Part 749's requirements. Outsourcing storage does not outsource accountability. The credit union must maintain effective oversight of the vendor and ensure the service agreement includes the required contract clause. 

  18. What format can a credit union use to store vital records?
    Vital records may be stored in any format — electronic, paper, microfilm, or otherwise — as long as the format accurately reflects the information, remains accessible to all authorized people, and is capable of being reproduced by transmission, printing, or otherwise. 

  19. How must vital records be made available to NCUA examiners?
    The credit union must maintain the necessary equipment or software to permit an examiner to access the records during the examination process. 

  20. What does it mean for vital records to be "accessible" under Part 749?
    Records must be accessible to all persons entitled to access by statute, regulation, or rule of law, including NCUA examiners. The credit union must ensure the tools needed to retrieve and reproduce the records are available and functional.