On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the “Act”). Title V, Subtitle A of the Act governs consumer financial privacy and requires NCUA and the banking regulators to issue regulations to implement those provisions. NCUA issued Part 716 of its Rules and Regulations entitled Privacy of Consumer Financial Information to implement provisions governing the privacy of consumer financial information. NCUA’s regulation is substantively identical to the regulation of the four banking regulators. The rule became effective on November 13, 2000; however, compliance will not be required until July 1, 2001.
3. DEFINITION AND DISCUSSION OF TERMS.
Part 716 includes the terms “nonpublic personal information,” “consumer,” “member,” “affiliate,” “nonaffiliated third party,” and the “opt out” right and the exceptions to it. These terms are described and discussed as follows:
Nonpublic personal information.
Nonpublic personal information is “personally identifiable financial information” that a consumer provides to the credit union; the results of a transaction between the consumer and the credit union; or information that a credit union otherwise obtains about a consumer in connection with providing a financial product or service. Examples of nonpublic personal information include:
- Information provided on an application to obtain membership or a financial product or service.
- Account balance information, payment history, overdraft history, and credit/debit card purchases.
- Information provided in connection with collecting on a loan or servicing a loan.
- Information collected from an internet collection device (“cookie”).
- Information from a consumer report.
Nonpublic personal information includes any list or description or other grouping of consumers that is derived using any personally identifiable financial information. For example, such a list would include a list of individual names and addresses derived in whole or in part using personal financial information (e.g., account numbers or loan information).
Conversely, publicly available information is any information that the credit union has a reasonable basis for believing is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. This includes information available in a public telephone book.
A consumer is an individual (may be a member) who obtains or has obtained a financial product or service from the credit union that is primarily used for personal, family, or household purposes. A consumer includes an individual’s legal representative. Examples include the following:
- An individual, who provides information in connection with a membership application, regardless of whether that individual becomes a member.
- An individual, who provides nonpublic personal information through the use of the credit union’s ATM or through the credit union’s ownership or servicing rights to an individual’s loan.
A member is a consumer who has an on-going member relationship with the credit union. Examples include the following:
- An individual, who meets the definition of member, as defined in the credit union’s bylaws.
- A nonmember, who has a share, share draft, or credit card account held jointly with a member.
- A nonmember, who has a loan that the credit union services.
- A nonmember, who has an account in a low-income credit union.
- A nonmember, who has an account in a federally insured, state- chartered credit union pursuant to state law.
Note: There is a special rule for loans. When a member obtains a loan from a credit union, and that is the only basis for the member relationship, if the credit union subsequently transfers the servicing rights to that loan to another financial institution, the member relationship transfers with the servicing rights.
An affiliate is a company that a credit union or a group of credit unions controls. Examples include the following:
- For federally chartered credit unions, a credit union service organization (CUSO) that is controlled by the credit union would constitute the only affiliate. NCUA will presume a credit union has a controlling influence over the management or policies of a CUSO, if the CUSO is 67 percent owned by that credit union or by that credit union and other credit unions.
- For federally insured state credit unions, an affiliate would be a CUSO or another company controlled by the credit union.
Nonaffiliated third party:
A nonaffiliated third party is any person except:
- The credit union’s affiliate.
- A person employed jointly by the credit union and any company that is not the credit union’s affiliate.
Opt Out Right and Exceptions:
Consumers have the right to opt out of, or prevent, a credit union’s disclosure of nonpublic personal information about them to a nonaffiliated third party, unless an exception to the right applies. What constitutes a reasonable opportunity to opt out depends on 4 the circumstances surrounding the consumer’s transaction.
Exceptions to the opt out right include a credit union’s disclosure of nonpublic personal information:
- To a nonaffiliated third party for performing services for the credit union or functions on its behalf, such as outsourcing marketing of the credit union’s products to an advertising company, or using a mailing house to send out marketing information about the credit union’s products and services to the credit union’s members;
- In a joint marketing agreement with a non affiliated third party financial institution to jointly offer, endorse, or sponsor a financial product or service provided the credit union has disclosed the financial institution’s general lines of business in its privacy notice;
- As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes. Examples of third parties which may fall under this exception include: check printers, mortgage servicers, collection agencies, data processors, collateral protection insurance, and statement mailers; and
- For specified other disclosures, such as to protect against or prevent actual or potential fraud; to the credit union’s attorneys, accountants, and auditors; to and from consumer reporting agencies; or to comply with applicable legal requirements, such as the disclosure of information to regulators or the securitization of a credit union’s mortgage portfolio.
What is the scope of Part 716?
Part 716 requires credit unions to provide notice to their members and consumers regarding the credit union’s privacy policies and practices for information provided to affiliated and nonaffiliated third parties. The rule describes the conditions under which a credit union may disclose nonpublic information about consumers to nonaffiliated third parties. Finally, Part 716 provides a method, called opting out, whereby consumers may prevent a credit union from disclosing nonpublic information to most nonaffiliated third parties.
Who is covered by the Part 716?
Part 716 applies to information regarding individuals who obtain financial products or services for personal, family, or household purposes. It does 5 not apply to information regarding companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes.
What does Part 716 require?
The three principal requirements relating to the privacy of consumer financial information are:
- Credit unions must provide their members with notices describing their security policies and their privacy policies and practices, including their policies with respect to the disclosure of nonpublic personal information to their affiliates and to nonaffiliated third parties. Credit unions must provide the notices at the time the member relationship is established and annually thereafter.
- Subject to specified exceptions, credit unions may not disclose nonpublic personal information about consumers to any nonaffiliated third party unless the credit union gives consumers a reasonable opportunity to direct that such information not be shared (to opt out).
- Credit unions generally may not disclose member account numbers to any nonaffiliated third party for marketing purposes.
What requirements must credit unions follow regarding the disclosure of nonpublic personal information (other than account numbers)?
A credit union must not disclose nonpublic personal information about a consumer to a nonaffiliated third party, unless:
- The credit union has provided the consumer with an initial notice;
- The credit union has provided the consumer with an opt out notice;
- The credit union has given the consumer a reasonable opportunity, before the credit union discloses the information to the nonaffiliated third party, to opt out; and
- The consumer has not opted out.
In all cases, a credit union must provide a privacy notice to its members. However, credit unions that do not share nonpublic personal information except as permitted under §§716.14 and 716.15 need not provide a notice to consumers who are not members.
When must a credit union provide a privacy notice and what must the notice include?
A credit union must provide an initial notice that accurately describes its privacy policies and practices to individual consumers who establish a member relationship with the credit union, not later than the time the member relationship is established. Unless an exception applies, the credit union must also provide this initial privacy notice to any other consumer, even if not a member of the credit union, before the credit union discloses that consumer’s nonpublic personal information to a nonaffiliated third party. Credit unions also must provide their members an annual privacy notice.
All privacy notices must be clear and conspicuous, and in a form such that the credit union can reasonably expect each intended recipient will receive actual notice. Notices must be in writing (unless the consumer agrees to electronic delivery). The notices must describe, among other things, the types of nonpublic personal information collected and disclosed, the types of affiliated and nonaffiliated third parties with whom the information may be shared, and the consumer’s right to opt out and thereby limit certain information sharing by the credit union. The notices must also describe the credit union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
Credit unions must provide an initial privacy and opt out notice to members and applicable consumers before July 1, 2001. Credit unions may enclose the notice to members with a periodic statement. For credit unions that wish to include the required notices with periodic statements but do not provide statements at least quarterly, the notices must be included in year-end 2000 statements. Otherwise, the notices will require a separate mailing.
If two or more consumers jointly obtain from the credit union a financial product or service, other than a loan, the credit union may provide only one initial privacy notice and one opt out notice to those consumers jointly. In the case of a loan, a credit union must provide separate notices to individuals, other than the primary borrower, if the credit union is actually sharing nonpublic personal information about them.
When must a credit union use an opt-out?
Credit unions generally may not, directly or through an affiliate, disclose a consumer’s nonpublic personal information to any nonaffiliated third party unless the consumer is given a reasonable opportunity to direct that such information not be disclosed, i.e., to opt out. Thus, before a credit union may disclose nonpublic personal information about a consumer to a nonaffiliated third party, the credit union must provide the consumer with an initial privacy notice and an opt-out notice (which may be included in the privacy notice). The definition section describes exceptions to these opt-out requirements.
Under what circumstances is the credit union required to provide a revised notice?
When the credit union wishes to disclose nonpublic personal information in a manner other than described in the initial notice, it must provide a revised notice and a new opt out notice with reasonable opportunity to opt out. The credit union may not disclose any information unless it has provided these notices and the consumer has not opted out.
What are the rules regarding disclosure of account numbers?
A credit union generally may not disclose an account number or similar form of access number or access code for a credit card account, share account, or transaction account of a consumer to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail, or other marketing through electronic mail to the consumer. Exceptions to this rule include encrypted account numbers disclosed without an accompanying means of decryption.
Does Part 716 limit the receipt of nonpublic personal information (redisclosure and reuse)?
Part 716 limits the redisclosure or reuse of nonpublic personal information that the credit union receives from other nonaffiliated financial institutions, as follows:
- For nonpublic personal information received under an exception in §716.14 or §716.15 the credit union is limited to:
- Disclosing the information to the affiliates of the institution from which it received the information;
- Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and
- Disclosing and using the information pursuant to an exception in §716.14 or §716.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information (for example, an institution receiving information for account processing could disclose the information to its auditors).
- For nonpublic personal information received other than under an exception in §716.14 or §716.15, the recipient’s has unlimited use of the information, but must limit its disclosure of the information to:
- Disclosing the information to the affiliates of the credit union from which it received the information;
- Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the credit union can do so; and
- Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information.
When and how must a credit union provide member notices?
A credit union must provide notice to members of its privacy policies and practices at the following various times:
- A credit union must provide an initial notice to each consumer, who is not a member, before sharing nonpublic personal information, and to each member, generally upon establishing a member relationship. An initial notice is a clear and conspicuous notice that accurately relates the credit union’s privacy policies and practices. §716.9 describes the cases in which subsequent delivery of the notice is allowed.
- A credit union must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the member relationship. For example, if a member opens an account on any day of year one, it must provide an annual notice to that member by December 31 of year two.
- A credit union must provide a revised notice when the original notice no longer applies. For example, when an existing member obtains a new financial product or service from a credit union and the most 9 recent notice provided to the member was not accurate with respect to that product or service, the credit union must provide a revised notice.
The credit union may provide a simplified notice when it has no affiliates and only discloses nonpublic personal information to nonaffiliated third parties as authorized by law (see sample notice for small credit unions). The credit union may also choose to provide a short-form notice to consumers who are not members as long as the complete initial notice is reasonably available upon request.
In addition to the foregoing required notices, if applicable, the credit union must provide an opt out notice that accurately explains the consumer’s right to opt out of information sharing and includes a reasonable means for doing so. The credit union must provide the opt out notice and opportunity to opt out before it discloses nonpublic personal information to nonaffiliated third parties outside of exceptions in §§716.13 - 716.15.
All notices must be clear and conspicuous and must accurately reflect the credit union’s privacy policies and practices. Several general principles also apply to the delivery of notices. For instance, a credit union must deliver notices so that the consumer can reasonably be expected to receive actual notice in writing or if the consumer agrees, electronically. In addition, for members only, a financial institution must provide the initial notice, the annual notice, and the revised notice so that the member can retain them or obtain them later in writing or, if the member agrees, electronically.
How does Part 716 relate to state law?
Part 716 does not supersede, alter, or affect any state statute, regulation, order, or interpretation that is more consumer protective than the regulation, as determined by the Federal Trade Commission.
Does Part 716 contain any grandfathered provisions?
Contracts that a credit union has entered into on or before July 1, 2000 with a nonaffiliated third party to perform services for the credit union or functions on its behalf, satisfy the requirements of the regulations until July 1, 2002.
How will Part 716 impact credit unions regarding their responsibilities under the Fair Credit Reporting Act (FCRA)?
Part 716 does not modify, limit, or supersede the operation of the Fair Credit Reporting Act1.
As a general matter, a credit union will not be subject to the FCRA’s substantial requirements that apply to consumer reporting agencies if the credit union communicates only transaction or experience information to third parties or among its affiliates. Additionally, a credit union will not become a consumer reporting agency if it shares with its affiliates other information, such as information from a credit report or from a member’s loan application that would ordinarily be considered consumer report information, if it is clearly and conspicuously disclosed to the consumer that such information sharing may occur, and the consumer is given an opportunity to direct that the information not be shared, i.e., to "opt out."
The FCRA does, however, impose a number of requirements on persons that use consumer reports or furnish information to consumer reporting agencies, and these provisions can apply to credit unions. Several of these provisions protect the privacy of consumer information, including one that requires a credit union to use or obtain consumer reports only for specific permissible purposes under the statute. Another provision requires a credit union that solicits members for offers of credit based on information in consumer reports ("prescreened offers") to provide a clear and conspicuous notice with each offer informing consumers, among other things, how they can opt out of further solicitations.
How will Part 716 impact credit unions regarding their responsibilities under the Electronic Fund Transfer Act (EFTA)?
The EFTA and the Federal Reserve Board’s Regulation E require that credit unions make certain disclosures at the time a consumer contracts for an electronic fund transfer service or before the first electronic fund transfer is made involving the consumer’s account. For example, the credit union must disclose the circumstances under which, in the ordinary course of business, the credit union may provide information concerning the consumer’s account to third parties, whether or not the third party is affiliated with the credit union. This disclosure must encompass any information that may be provided concerning the account (not just information relating to the electronic fund transfers themselves). The EFTA and Regulation E requirements apply with respect to share drafts, share accounts, and other member accounts.
Credit unions may wish to consider including an initial privacy notice that satisfies the Privacy of Consumer Financial Information regulations for compliance with the EFTA and Regulation E.
As the requirements of Part 716 and the related regulations are significant, credit unions should consider carefully how they plan to comply.
Yolanda T. Wheat
National Credit Union Administration Board
1On October 19, 2000, the NCUA Board issued a Notice of Proposed Rulemaking (NPR) proposing regulations that implement the affiliate information sharing provisions of the FCRA under Part 706 of NCUA’s regulations (65 Fed. Reg. 64168 (October 26, 2000)). The proposed regulations address matters such as the content and delivery of opt out notices to consumers. The NPR’s comment period closed December 26, 2000.