Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) [1] governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.
Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) [2] granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction. [3] In December 2011 the CFPB re-codified in Regulation P, This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 12 CFR Part 1016 (Opens new window) , the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (FTC), the NCUA, the OCC, and the former OTS. [4]
On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information. [5] The final rule adopting the model privacy form was effective on December 31, 2009.
On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circumstances. [6] The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions.
As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act [7] (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.
There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice.
Under the authority of GLBA and the Fair Credit Reporting Act, NCUA issued the This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Guidelines for Safeguarding Member Information (Opens new window) , 12 CFR Part 748, Appendix A (Security Guidelines). The Security Guidelines require a credit union to establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of information. The Security Guidelines impose requirements separate from the privacy requirements of GLBA and Regulation P and address safeguarding the confidentiality and security of information and ensuring proper disposal of information. The Security Guidelines are directed toward preventing and responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that credit unions must contractually require their affiliated and nonaffiliated third-party service providers that have access to the credit union’s data containing personal information to protect that information. NCUA has also released the IT Security Compliance Guide (Opens new window) , which is intended to help credit unions comply with the Security Guidelines.
You can find the full text of Regulation P This is an external link to a website belonging to another federal agency, private organization, or commercial entity. here (Opens new window) . You can find the sections of the GLBA relevant to consumer financial privacy This is an external link to a website belonging to another federal agency, private organization, or commercial entity. here (Opens new window) .
- This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Definitions (Opens new window)
- Associated Risks
- Exam Objectives
- Exam Procedures
- Checklist
Associated Risks
Compliance Risk can occur when the credit union fails to implement the necessary controls to comply with Regulation P.
Reputation Risk can occur when members of the credit union learn of its failure to comply with Regulation P.
Examination Objectives
- To assess the quality of the credit union’s compliance management policies, procedures, and internal controls for implementing the regulation, specifically ensuring consistency between what the credit union tells consumers in its notices about its policies and practices and what it actually does.
- To determine the reliance that can be placed on the credit union’s policies, procedures, and internal controls for monitoring the credit union’s compliance with the regulation.
- To determine the credit union’s compliance with the regulation, specifically in meeting the following requirements:
- Providing members notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each member can reasonably be expected to receive actual notice;
- Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving members notice and the right to opt out;
- Appropriately honoring member opt out directions;
- Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
- Disclosing account numbers only according to the limits in the regulation.
- To initiate effective corrective actions when violations of law are identified, or when policies, procedures, or internal controls are deficient.
Examination Procedures [8]
- Through discussions with management and review of available information, identify the credit union’s information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
- Notices (initial, annual, revised, opt-out, short-form, and simplified);
- Credit union privacy policies, procedures, and internal controls, including those to:
- Process requests for nonpublic personal information, including requests for aggregated information;
- Deliver notices to consumers;
- Manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
- Prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
- Prevent the unlawful disclosure of account numbers;
- Information sharing agreements between the credit union and affiliates and service agreements or contracts between the credit union and nonaffiliated third parties either to obtain or provide information or services;
- Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §1016.13 (Opens new window) are met and whether the credit union is disclosing account number information in violation of This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §1016.12 (Opens new window) );
- Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including information collected electronically through Internet cookies; or through ATM transactions);
- Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party;
- Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically;
- Records that reflect the credit union’s categorization of its information sharing practices under This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.13 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.14 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.15 (Opens new window) , and outside of these exceptions; and
- Results of a 501(b) ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 15 U.S.C. 6801(b) (Opens new window) ) inspection (used to determine the accuracy of the credit union’s privacy disclosures regarding information security).
- Use the information gathered from step 1 to work through the “Privacy Notice and Opt-Out Decision Tree” below. Identify which module(s) of procedures is (are) applicable.
- Use the information gathered from step 1 to work through the Redisclosure and Reuse and Account Number Sharing Decision Trees below, as necessary. Identify which module is applicable.
- Determine the adequacy of the credit union’s policies, procedures, and internal controls to ensure compliance with the regulation as applicable. Consider the following:
- Sufficiency of internal policies, procedures, and internal controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
- Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
- Frequency and effectiveness of monitoring procedures;
- Adequacy and regularity of the credit union’s training program;
- Suitability of the compliance audit program for ensuring that:
- The procedures address all regulatory provisions as applicable;
- The work is accurate and comprehensive with respect to the credit union’s information sharing practices;
- The frequency is appropriate;
- conclusions are appropriately reached and presented to responsible parties;
- Steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
- Knowledge level of management and personnel.
- Ascertain areas of risk associated with the credit union’s sharing practices (especially those within This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §1016.13 (Opens new window) and those that fall outside of the exceptions) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
- Based on the results of the foregoing initial procedures and discussions with management, determine which procedures should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the credit union’s compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to citations within the regulation. Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
- Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
- Formulate conclusions.
- Summarize all findings.
- For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
- Identify action needed to correct violations and to address weaknesses in the credit union’s compliance system, as appropriate.
- Discuss findings with management and obtain a commitment for corrective action.
PRIVACY NOTICE AND OPT OUT DECISION TREE
REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION RECEIVED FROM NONAFFILIATED FINANCIAL INSTITUTIONS DECISION TREE ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.11(a) and 1016.11(b) (Opens new window) )
ACCOUNT NUMBER SHARING DECISION TREE
( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.12 (Opens new window) )
Module 1 - Sharing nonpublic personal information with nonaffiliated third parties under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and/or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) and outside of the exceptions
(With or without also sharing under This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.13 (Opens new window) )
Note: Credit unions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these credit unions are held to the most comprehensive compliance standards imposed by the regulation.
Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(b)(2) (Opens new window) (corresponding to Regulation P § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(e) (Opens new window) (corresponding to Regulation P §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ) or regulations prescribed under GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 504(b) (Opens new window) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 503 (Opens new window) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.
- Disclosure of Nonpublic Personal Information
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
- Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers (both members and those who are not members) in its notices about its policies and practices in this regard, and what the credit union actually does, are consistent (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10 (Opens new window) ).
- Compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10 (Opens new window) ).
- If the credit union also shares information under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , obtain and review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) . Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ).
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
- Presentation, Content, and Delivery of Privacy Notices
- Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
- Are clear and conspicuous (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.3 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.8(a)(1) (Opens new window) );
- Accurately reflect the credit union’s policies and practices (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.8(a)(1) (Opens new window) ). Note: this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
- Include, and adequately describe, all required items of information and contain examples as applicable (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6 (Opens new window) ). Note that if the credit union shares under nonpublic personal information under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) the notice provisions for that section shall also apply.
- If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Appendix (Opens new window) of the regulation.
- Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
- Timeliness of delivery (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(c) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.8(a) (Opens new window) ); and
- Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9 (Opens new window) ).
- For members only, review the timeliness of delivery (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(d) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a) (Opens new window) ), means of delivery of annual notice (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c) (Opens new window) ), and accessibility of or ability to retain the notice (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(e) (Opens new window) ).
- Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
- Opt-Out Right
- Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
- Are clear and conspicuous (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.3(b) (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1) (Opens new window) );
- Accurately explain the right to opt-out (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1) (Opens new window) );
- Include and adequately describe the three required items of information (the credit union’s policy regarding disclosure of nonpublic personal information, the consumer’s opt-out right, and the means to opt-out) (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1) (Opens new window) ); and
- Describe how the credit union treats joint relationships, as applicable (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(e) (Opens new window) ).
- Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide the opt-out notice and comply with opt- out directions of consumers (members and those who are not members), as appropriate. Assess the following:
- Timeliness of delivery (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10(a)(1) (Opens new window) );
- Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9 (Opens new window) );
- Reasonableness of the opportunity to opt-out (the time allowed to and the means by which the consumer may opt-out) (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10(a)(1)(iii) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10(a)(3) (Opens new window) ); and
- Adequacy of procedures to implement and track the status of a consumer's (members and those who are not members) opt-out direction, including those of former members (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(e)-(g) (Opens new window) ).
- Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
- Checklist Cross References – Module 1
Module 2 - Sharing nonpublic personal information with nonaffiliated third parties under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and/or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) but not outside of these exceptions
Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(b)(2) (Opens new window) (corresponding to Regulation P § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(e) (Opens new window) (corresponding to Regulation P §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ) or regulations prescribed under GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 504(b) (Opens new window) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 503 (Opens new window) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.
- Disclosure of Nonpublic Personal Information
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
- Compare the information shared and with whom the information was shared to ensure that the credit union accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ).
- Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers in its notices about its policies and practices in this regard and what the credit union actually does are consistent (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10 (Opens new window) ).
- If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Appendix (Opens new window) of the regulation.
- Review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) . Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13(a) (Opens new window) ).
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
- Presentation, Content, and Delivery of Privacy Notices
- Review the credit union’s initial and annual privacy notices. Determine whether or not they:
- Are clear and conspicuous ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.3(b) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) );
- Accurately reflect the institution’s policies and practices ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
- Include, and adequately describe, all required items of information and contain examples as applicable ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.6 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ).
- Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
- Timeliness of delivery ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.4(a) (Opens new window) ); and
- Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.9 (Opens new window) ).
- For members only, review the timeliness of delivery ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.4(d) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e) (Opens new window) , and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a) (Opens new window) ), means of delivery of annual notice ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.9(c) (Opens new window) ), and accessibility of or ability to retain the notice ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.9(e) (Opens new window) ).
- Review the credit union’s initial and annual privacy notices. Determine whether or not they:
- Checklist Cross References – Module 2
Module 3 - Sharing nonpublic personal information with nonaffiliated third parties only under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and/or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window)
NOTE: This module applies only to members.
Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(b)(2) (Opens new window) (corresponding to Regulation P § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 502(e) (Opens new window) (corresponding to Regulation P §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ) or regulations prescribed under GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 504(b) (Opens new window) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 503 (Opens new window) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.
- Disclosure of Nonpublic Personal Information
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
- Compare the information shared and with whom the information was shared to ensure that the credit union accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.
- Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
- Presentation, Content, and Delivery of Privacy Notices
- Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) exceptions. Determine whether or not these notices:
- Are clear and conspicuous ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.3(b) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) );
- Accurately reflect the credit union’s policies and practices ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1) (Opens new window) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
- Include, and adequately describe, all required items of information ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.6 (Opens new window) ).
- If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Appendix (Opens new window) of the regulation.
- Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written member records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to members, as appropriate. Assess the following:
- Timeliness of delivery ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.4(a) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(d) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a) (Opens new window) ); and
- Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the member agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.9 (Opens new window) ) and accessibility of or ability to retain the notice ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.9(e) (Opens new window) ).
- Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of This is an external link to a website belonging to another federal agency, private organization, or commercial entity. §§ 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) exceptions. Determine whether or not these notices:
- Checklist Cross References – Module 3
Module 4 - Redisclosure and Reuse of nonpublic personal information received from a nonaffiliated financial institution under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and/or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window)
- Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure and reuse of the information where the credit union is the recipient of nonpublic personal information ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.11(a) (Opens new window) ).
- Select a sample of information received from nonaffiliated financial institutions, to evaluate the credit union’s compliance with redisclosure and reuse limitations.
- Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(1)(i) and (ii) (Opens new window) ).
- Verify that the credit union only uses and shares the information pursuant to an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(1)(iii) (Opens new window) ).
- Checklist Cross References – Module 4
Checklist Cross References – Module 4 Regulation Section
Subject
Checklist Question
Regulation SectionThis is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a) (Opens new window)SubjectRedisclosure and reuseChecklist Question45Regulation SectionThis is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window)SubjectExceptionsChecklist Question49-51
Module 5 - Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window)
- Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure of the information where the credit union is the recipient of nonpublic personal information ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.11(b) (Opens new window) ).
- Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the credit union’s compliance with redisclosure limitations.
- Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b)(1)(i) and (ii) (Opens new window) ).
- If the credit union shares information with entities other than those under step 1 above, verify that the credit union’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.11(b)(1)(iii) (Opens new window) ).
- Also, review the procedures used by the credit union to ensure that the information sharing reflects the opt-out status of the consumers of the nonaffiliated financial institution (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b)(1)(iii) (Opens new window) ).
- Checklist Cross References – Module 5
Checklist Cross References – Module 5 Regulation Section
Subject
Checklist Question
Regulation SectionThis is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b) (Opens new window)SubjectRedisclosureChecklist Question46
Module 6 - Account number sharing
- If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the credit union’s members ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.12(a) (Opens new window) ).
- Obtain and review a sample of contracts with agents or service providers to whom the credit union discloses account numbers for use in connection with marketing the credit union's own products or services. Determine whether the credit union shares account numbers with nonaffiliated third parties only to perform marketing for the credit union’s own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to the accounts ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.12(b)(1) (Opens new window) ).
- Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the member when the member enters into the program ( This is an external link to a website belonging to another federal agency, private organization, or commercial entity. § 1016.12(b)(2) (Opens new window) ).
- Checklist Cross References – Module 6
Checklist Cross References – Module 6 Regulation Section
Subject
Checklist Question
Regulation SectionThis is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12 (Opens new window)SubjectAccount number sharingChecklist Question47
PRIVACY OF CONSUMER FINANCIAL INFORMATION
(REGULATION P)
CHECKLIST
SUBPART A
Initial Privacy Notice
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 1 |
Description Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section 4 of the regulation? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a)(1) (Opens new window) )(Note: A credit union establishes a customer relationship when it enters into a continuing relationship with the consumer. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(c)(1) (Opens new window) ) With respect to credit relationships, a credit union establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(c)(2) (Opens new window) ) Customer relationships in credit unions may include nonmembers. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(c)(3)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Item 2 |
Description Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a)(2) (Opens new window) )(Note: No notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) , and there is no customer relationship. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(b) (Opens new window) ) |
Yes |
No |
N/A |
Item 3 |
Description Does the credit union provide to existing customers, who obtain a new financial product or service, a revised privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service?(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(d)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 4 |
Description Does the credit union provide initial notice after establishing a customer relationship only if: |
Yes N/A |
No N/A |
N/A N/A |
Item 4(a) |
Description The customer relationship is not established at the customer's election; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e)(1)(i) (Opens new window) ) or |
Yes |
No |
N/A |
Item 4(b) |
Description To do otherwise would substantially delay the customer’s transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e)(1)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 5 |
Description When the subsequent delivery of a privacy notice is permitted, does the credit union provide notice after establishing a customer relationship within a reasonable time? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(e) (Opens new window) ) |
Yes |
No |
N/A |
Annual Privacy Notice
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 6 |
Description Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to customers, unless an exception to the annual privacy notice requirement applies? (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(a)(1)-(2) (Opens new window) )(Note: annual notices are not required for former customers. (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(b)(1)and (4)) (Opens new window) ) |
Yes |
No |
N/A |
Item 7 |
Description Does the credit union provide an annual privacy notice to each customer whose loan the credit union owns the right to service unless an exception to the annual privacy notice requirement applies? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.5(c) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12 (Opens new window) ) |
Yes |
No |
N/A |
Content of Privacy Notices
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 8 |
Description Do the initial, annual, and revised privacy notices include each of the following, as applicable: |
Yes N/A |
No N/A |
N/A N/A |
Item 8(a) |
Description The categories of nonpublic personal information that the credit union collects; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(b) |
Description The categories of nonpublic personal information that the credit union discloses; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(2) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(c) |
Description The categories of affiliates and nonaffiliated third parties to whom the credit union discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(3) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(d) |
Description The categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the credit union discloses that information, other than those parties to whom the credit union discloses information under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(4) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(e) |
Description If the credit union discloses nonpublic personal information to a nonaffiliated third party under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , and no exception under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) applies, a separate statement of the categories of information the credit union discloses and the categories of third parties with whom the credit union has contracted; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(5) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(f) |
Description An explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(6) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(g) |
Description Any disclosures that the credit union makes under This is an external link to a website belonging to another federal agency, private organization, or commercial entity. FCRA § 603(d)(2)(A)(iii) (Opens new window) ; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(7) (Opens new window) ) |
Yes |
No |
N/A |
Item 8(h) |
Description The credit union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(8) (Opens new window) ) and |
Yes |
No |
N/A |
Item 8(i) |
Description A general statement that the credit union makes disclosures to other nonaffiliated third parties for everyday business purposes, such as (with the credit union including all purposes that are applicable) to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus, or as permitted by law? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(9), (b)(1) and (2) (Opens new window) )(Note: Credit unions that provide a model privacy form in accordance with the instructions in the This is an external link to a website belonging to another federal agency, private organization, or commercial entity. Appendix (Opens new window) of the regulation will receive a safe harbor for compliance with the content requirements of the regulation.) |
Yes |
No |
N/A |
Item 9 |
Description Does the credit union list the following categories of nonpublic personal information that it collects, as applicable: |
Yes N/A |
No N/A |
N/A N/A |
Item 9(a) |
Description Information from the consumer;(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 9(b) |
Description Information about the consumer’s transactions with the credit union or its affiliates;(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 9(c) |
Description Information about the consumer’s transactions with nonaffiliated third parties;(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1)(iii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 9(d) |
Description Information from a consumer reporting agency?(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1)(iv) (Opens new window) ) |
Yes |
No |
N/A |
Item 10 |
Description Does the credit union list the following § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1) (Opens new window) categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects: |
Yes N/A |
No N/A |
N/A N/A |
Item 10(a) |
Description Information from the consumer; |
Yes |
No |
N/A |
Item 10(b) |
Description Information about the consumer’s transactions with the credit union or its affiliates; |
Yes |
No |
N/A |
Item 10(c) |
Description Information about the consumer’s transactions with nonaffiliated third parties; and |
Yes |
No |
N/A |
Item 10(d) |
Description Information from a consumer reporting agency?(§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(2) (Opens new window) ) (Note: Examples are recommended under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(2)(i) (Opens new window) although not under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(1) (Opens new window) .) |
Yes |
No |
N/A |
Item 11 |
Description Does the credit union list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category: |
Yes N/A |
No N/A |
N/A N/A |
Item 11(a) |
Description Financial service providers; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(3)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 11(b) |
Description Non-financial companies; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(3)(ii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 11(c) |
Description Others? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(3)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Item 12 |
Description Does the credit union make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) : |
Yes N/A |
No N/A |
N/A N/A |
Item 12(a) |
Description As applicable, the same categories and examples of nonpublic personal information disclosed as described in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(2) and 1016.6(c)(2) (Opens new window) (see questions 8b and 10); (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(4)(i) (Opens new window) ) and |
Yes |
No |
N/A |
Item 12(b) |
Description That the third party is a service provider that performs marketing on the credit union’s behalf or on behalf of the credit union and another financial institution; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(4)(ii)(A) (Opens new window) ) or |
Yes |
No |
N/A |
Item 12(c) |
Description That the third party is a financial institution with which the credit union has a joint marketing agreement? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(4)(ii)(B) (Opens new window) ) |
Yes |
No |
N/A |
Item 13 |
Description If the credit union does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) , does the credit union provide a simplified privacy notice that contains at a minimum: |
Yes N/A |
No N/A |
N/A N/A |
Item 13(a) |
Description A statement to this effect; |
Yes |
No |
N/A |
Item 13(b) |
Description The categories of nonpublic personal information it collects (same as § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(1) (Opens new window) ); |
Yes |
No |
N/A |
Item 13(c) |
Description The policies and practices the credit union uses to protect the confidentiality and security of nonpublic personal information (same as § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6 (a)(8) (Opens new window) ); and |
Yes |
No |
N/A |
Item 13(d) |
Description A general statement that the credit union makes disclosures to other nonaffiliated third parties as permitted by law (same as §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(9) and 1016.6(b) (Opens new window) )? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(5) (Opens new window) )(Note: Use of this type of simplified notice is optional; a credit union may always use a full notice.) |
Yes |
No |
N/A |
Item 14 |
Description Does the credit union describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information: |
Yes N/A |
No N/A |
N/A N/A |
Item 14(a) |
Description Who is authorized to have access to the information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(6)(i) (Opens new window) ) and |
Yes |
No |
N/A |
Item 14(b) |
Description Whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the credit union’s policy? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(c)(6)(ii) (Opens new window) )(Note: The credit union is not required to describe technical information about the safeguards used in this respect.) |
Yes |
No |
N/A |
Item 15 |
Description If the credit union provides a short-form initial privacy notice with the opt-out notice, does the credit union do so only to consumers with whom the credit union does not have a customer relationship? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(d)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 16 |
Description If the credit union provides a short-form initial privacy notice according to § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(d)(1) (Opens new window) , does the short-form initial notice: |
Yes N/A |
No N/A |
N/A N/A |
Item 16(a) |
Description Conform to the definition of “clear and conspicuous”; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(d)(2)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 16(b) |
Description State that the credit union’s full privacy notice is available upon request; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(d)(2)(ii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 16(c) |
Description Explain a reasonable means by which the consumer may obtain the notice? (§ )(Note: The credit union is not required to deliver the full privacy notice with the short-form initial notice. (§ )) |
Yes |
No |
N/A |
Item 17 |
Description Does the credit union provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: |
Yes N/A |
No N/A |
N/A N/A |
Item 17(a) |
Description A toll-free telephone number that the consumer may call to request the notice; (§) or |
Yes |
No |
N/A |
Item 17(b) |
Description Having copies available to provide immediately by hand-delivery for the consumer who conducts business in person at the credit union's office? (§ ) |
Yes |
No |
N/A |
Item 18 |
Description If the credit union, in its privacy policies and practices, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable: |
Yes N/A |
No N/A |
N/A N/A |
Item 18(a) |
Description The categories of nonpublic personal information that the credit union reserves the right to disclose in the future, but does not currently disclose; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(e)(1) (Opens new window) ) and |
Yes |
No |
N/A |
Item 18(b) |
Description The categories of affiliates or nonaffiliated third parties to whom the credit union reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(e)(2) (Opens new window) ) |
Yes |
No |
N/A |
Opt-Out Notice
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 19 |
Description If the credit union discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) , and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) do not apply, does the credit union provide the consumer with a clear and conspicuous opt-out notice that accurately explains the right to-opt out? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 20 |
Description Does the opt-out notice state: |
Yes N/A |
No N/A |
N/A N/A |
Item 20(a) |
Description The credit union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 20(b) |
Description The consumer has the right to opt-out of that disclosure; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1)(ii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 20(c) |
Description A reasonable means by which the consumer may opt-out? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(1)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Item 21 |
Description Does the credit union provide the consumer with the following information about the right to opt-out: |
Yes N/A |
No N/A |
N/A N/A |
Item 21(a) |
Description All of the categories of nonpublic personal information that the credit union discloses or reserves the right to disclose; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(i)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 21(b) |
Description All the categories of nonaffiliated third parties to whom the information is disclosed; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(i)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 21(c) |
Description The consumer has the right to opt-out of the disclosure of that information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(i)(A) (Opens new window) ) and |
Yes |
No |
N/A |
Item 21(d) |
Description The financial products or services that the consumer obtains to which the opt-out direction would apply? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(i)(B) (Opens new window) ) |
Yes |
No |
N/A |
Item 22 |
Description Does the credit union provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means: |
Yes N/A |
No N/A |
N/A N/A |
Item 22(a) |
Description Check-off boxes prominently displayed on the relevant forms with the opt-out notice; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(ii)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 22(b) |
Description A reply form included with the opt-out notice; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(ii)(B) (Opens new window) ) |
Yes |
No |
N/A |
Item 22(c) |
Description An electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the credit union’s web site, if the consumer agrees to the electronic delivery of information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(ii)(C) (Opens new window) ) or |
Yes |
No |
N/A |
Item 22(d) |
Description A toll-free telephone number? (§ 1016.7(a)(2)(ii)(D)) |
Yes |
No |
N/A |
(Note: The credit union may require the consumer to use one specific means, as long as that means is reasonable for that consumer. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(a)(2)(iv) (Opens new window) ))
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 23 |
Description If the credit union delivers the opt-out notice after the initial notice, does the credit union provide the initial notice once again with the opt-out notice? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(c) (Opens new window) ) |
Yes |
No |
N/A |
Item 24 |
Description Does the credit union provide an opt-out notice, explaining how the credit union will treat opt-out directions by the joint consumers, to at least one party in a joint consumer relationship? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(2) (Opens new window) ) |
Yes |
No |
N/A |
Item 25 |
Description Does the credit union permit each of the joint consumers in a joint relationship to opt-out? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(2) (Opens new window) ) |
Yes |
No |
N/A |
Item 26 |
Description Does the opt-out notice to joint consumers state that either: |
Yes N/A |
No N/A |
N/A N/A |
Item 26(a) |
Description The credit union will consider an opt-out by a joint consumer as applying to all associated joint consumers; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(2)(i) (Opens new window) ) or |
Yes |
No |
N/A |
Item 26(b) |
Description Each joint consumer is permitted to opt-out separately? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(2)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 27 |
Description If each joint consumer may opt-out separately, does the credit union permit: |
Yes N/A |
No N/A |
N/A N/A |
Item 27(a) |
Description One joint consumer to opt-out on behalf of all of the joint consumers; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(3) (Opens new window) ) |
Yes |
No |
N/A |
Item 27(b) |
Description The joint consumers to notify the credit union in a single response; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(5)(i) (Opens new window) ) and |
Yes |
No |
N/A |
Item 27(c) |
Description Each joint consumer to opt-out either for himself or herself, and/or for another joint consumer? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(5)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 28 |
Description Does the credit union refrain from requiring all joint consumers to opt out before implementing any opt-out direction with respect to the joint account? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(d)(4) (Opens new window) ) |
Yes |
No |
N/A |
Item 29 |
Description Does the credit union comply with a consumer’s direction to opt-out as soon as is reasonably practicable after receiving it? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(g) (Opens new window) ) |
Yes |
No |
N/A |
Item 30 |
Description Does the credit union allow the consumer to opt-out at any time? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(h) (Opens new window) ) |
Yes |
No |
N/A |
Item 31 |
Description Does the credit union continue to honor the consumer’s opt-out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(i)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 32 |
Description When a customer relationship ends, does the credit union continue to apply the customer’s opt-out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7(i)(2) (Opens new window) ) |
Yes |
No |
N/A |
Revised Notices
(Note: A revised notice is not required if the credit union adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.8(b)(2) (Opens new window) ))
Delivery Methods
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 35 |
Description Does the credit union deliver the privacy and opt-out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(a) (Opens new window) ) |
Yes |
No |
N/A |
Item 36 |
Description Does the credit union use a reasonable means for delivering the notices, such as: |
Yes N/A |
No N/A |
N/A N/A |
Item 36(a) |
Description Hand-delivery of a printed copy; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(b)(1)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 36(b) |
Description Mailing a printed copy to the last known address of the consumer; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(b)(1)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 36(c) |
Description For the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the credit union’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(b)(1)(iii) (Opens new window) ) or |
Yes |
No |
N/A |
Item 36(d) |
Description For isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the member to acknowledge receipt as a necessary step to obtaining the financial product or service? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(b)(1)(iv) (Opens new window) )(Note: Insufficient or unreasonable means of delivery include: exclusively oral notice; in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a member who does not obtain products or services electronically. (§§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(b)(2)(i)-(ii) (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(d) (Opens new window) )) |
Yes |
No |
N/A |
Item 37 |
Description For annual notices only, if the credit union does not employ one of the methods described in question 36, does the credit union employ one of the following reasonable means of delivering the notice: |
Yes N/A |
No N/A |
N/A N/A |
Item 37(a) |
Description For the member who uses the institution’s web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(1)(i) (Opens new window) ) or |
Yes |
No |
N/A |
Item 37(b) |
Description For the member who has requested the credit union refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon the member’s request? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(1)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 38 |
Description As of October 28, 2014, for annual notices only, if the credit union uses the alternative delivery method does it meet the following conditions: |
Yes N/A |
No N/A |
N/A N/A |
Item 38(a) |
Description The credit union does not disclose the customer’s nonpublic personal information to nonaffiliated third parties other than for purposes under §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) , and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(i)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(b) |
Description The credit union does not include on its privacy notice an opt out under This is an external link to a website belonging to another federal agency, private organization, or commercial entity. FCRA section 603(d)(2)(A)(iii) (Opens new window) ; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(i)(B) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(c) |
Description The credit union previously provided the customer the opt-out notices required by This is an external link to a website belonging to another federal agency, private organization, or commercial entity. FCRA section 624 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 12 CFR 1022, Subpart C (Opens new window) , if applicable, or the privacy notice is not the only notice provided to satisfy those requirements; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(i)(C) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(d) |
Description The information that the credit union is required to convey on its privacy notice pursuant to §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(a)(1)-(5) (Opens new window) , This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(8) (Opens new window) , and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.6(9) (Opens new window) has not changed since it provided the immediately previous privacy notice to the customer, other than to eliminate categories of information that it discloses or categories of third parties to which it discloses information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(i)(D) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(e) |
Description The credit union uses the model privacy form for its privacy notice; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(i)(E) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(f) |
Description The credit union conveys in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure that it is required or expressly and specifically permitted to issue to the customer under any other provision of law that the privacy notice is available on its web site and will be mailed to the customer upon request by telephone, and the statement states that the privacy notice has not changed and includes a specific web address that takes the customer to the web site where the privacy notice is pasted and a telephone number for the customer to request that it be mailed; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(ii)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 38(g) |
Description The credit union posts its privacy notice continuously and in a clear and conspicuous manner on a page on its web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the web site; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(ii)(B) (Opens new window) ) and |
Yes |
No |
N/A |
Item 38(h) |
Description The credit union mails its current privacy notice to those customers who request it by telephone within ten calendar days of the request? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(c)(2)(ii)(C) (Opens new window) ) |
Yes |
No |
N/A |
Item 39 |
Description As of December 4, 2015, for annual privacy notices only, if the credit union does not provide an annual privacy notice (or provides one, but not using a compliant delivery method), does the credit union meet both of the following criteria: |
Yes N/A |
No N/A |
N/A N/A |
Item 39(a) |
Description The credit union solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) ) or 502(e) (corresponding to §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) ) or regulations prescribed under GLBA section 504(b); and |
Yes |
No |
N/A |
Item 39(b) |
Description The credit union has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with GLBA section 503? |
Yes |
No |
N/A |
Item 40 |
Description For customers only, does the credit union ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(e)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 41 |
Description Does the credit union use an appropriate means to ensure that notices may be retained or obtained later, such as: |
Yes N/A |
No N/A |
N/A N/A |
Item 41(a) |
Description Hand-delivery of a printed copy of the notice; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(e)(2)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 41(b) |
Description Mailing a printed copy to the last known address of the customer upon request of the customer; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(e)(2)(ii) (Opens new window) ) or |
Yes |
No |
N/A |
Item 41(c) |
Description Making the current privacy notice available on the credit union’s website (or via a link to the notice at another site) for the customer who agrees to receive the notice at the website? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(e)(2)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Item 42 |
Description Does the credit union provide at least one initial, annual, and revised notice, as applicable, to joint consumers? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.9(i) (Opens new window) ) |
Yes |
No |
N/A |
SUBPART B
Limits on Disclosure to Nonaffiliated Third Parties
Limits on Redisclosure and Reuse of Information
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 46 |
Description If the credit union receives information from a nonaffiliated financial institution under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) , does the credit union refrain from using or disclosing the information except: |
Yes N/A |
No N/A |
N/A N/A |
Item 46(a) |
Description To disclose the information to the affiliates of the financial institution from which it received the information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(1)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 46(b) |
Description To disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(1)(ii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 46(c) |
Description To disclose and use the information pursuant to an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) in the ordinary course of business to carry out the activity covered by the exception under which the information was received? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(1)(iii) (Opens new window) )(Note: The disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an credit union receiving information for fraud-prevention purposes could provide the information to its auditors. But the phrase “in the ordinary course of business” does not include marketing. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(a)(2) (Opens new window) )) |
Yes |
No |
N/A |
Item 47 |
Description If the credit union receives information from a nonaffiliated financial institution other than under an exception in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) or This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.15 (Opens new window) , does the credit union refrain from disclosing the information except: |
Yes N/A |
No N/A |
N/A N/A |
Item 47(a) |
Description To the affiliates of the financial institution from which it received the information; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b)(1)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 47(b) |
Description To its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient credit union; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b)(1)(ii) (Opens new window) ) and |
Yes |
No |
N/A |
Item 47(c) |
Description To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the credit union received the information? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.11(b)(1)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Limits on Sharing Account Number Information for Marketing Purposes
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 48 |
Description Does the credit union refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except: |
Yes N/A |
No N/A |
N/A N/A |
Item 48(a) |
Description To the credit union’s agents or service providers solely to market the credit union’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12(b)(1) (Opens new window) ) or |
Yes |
No |
N/A |
Item 48(b) |
Description To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12(b)(2) (Opens new window) )(Note: An “account number or similar form of access number or access code” does not include numbers in encrypted form, so long as the credit union does not provide the recipient with a means of decryption. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12(c)(1) (Opens new window) ) A transaction account does not include an account to which third parties cannot initiate charges. (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.12(c)(2) (Opens new window) )) |
Yes |
No |
N/A |
SUBPART C
Exception to Opt Out Requirements for Service Providers and Joint Marketing
Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions
Item | Description | Yes | No | N/A |
---|---|---|---|---|
Item 50 |
Description If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.4(a)(2) (Opens new window) , opt out in §§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.7 (Opens new window) and This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.10 (Opens new window) , revised notice in § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.8 (Opens new window) , and for service providers and joint marketing in § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.13 (Opens new window) , not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with: |
Yes N/A |
No N/A |
N/A N/A |
Item 50(a) |
Description Servicing or processing a financial product or service requested or authorized by the consumer; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(a)(1) (Opens new window) ) |
Yes |
No |
N/A |
Item 50(b) |
Description Maintaining or servicing the consumer's account with the credit union or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(a)(2) (Opens new window) ) |
Yes |
No |
N/A |
Item 50(c) |
Description A proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(a)(3) (Opens new window) ) |
Yes |
No |
N/A |
Item 51 |
Description If the credit union uses a § This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14 (Opens new window) exception as necessary to effect, administer, or enforce a transaction, is the disclosure: |
Yes N/A |
No N/A |
N/A N/A |
Item 51(a) |
Description Required, or is one of the lawful or appropriate methods, to enforce the rights of the credit union or other persons engaged in carrying out the transaction or providing the product or service; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(1) (Opens new window) ) or |
Yes |
No |
N/A |
Item 51(b) |
Description Required, or is a usual, appropriate, or acceptable method, to: (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(i) |
Description Carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(i) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(ii) |
Description Administer or service benefits or claims; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(ii) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(iii) |
Description Confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(iii) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(iv) |
Description Accrue or recognize incentives or bonuses; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1014.14(b)(2)(iv) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(v) |
Description Underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(v) (Opens new window) ) or |
Yes |
No |
N/A |
Item 51(b)(vi) |
Description In connection with: |
Yes N/A |
No N/A |
N/A N/A |
Item 51(b)(vi)(1) |
Description The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(vi)(A) (Opens new window) ) |
Yes |
No |
N/A |
Item 51(b)(vi)(2) |
Description The transfer of receivables, accounts or interests therein; (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(vi)(B) (Opens new window) ) or |
Yes |
No |
N/A |
Item 51(b)(vi)(3) |
Description The audit of debit, credit, or other payment information? (§ This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 1016.14(b)(2)(vi)(C) (Opens new window) ) |
Yes |
No |
N/A |
Other Exceptions to Notice and Opt Out Requirements
Footnotes
[1] This is an external link to a website belonging to another federal agency, private organization, or commercial entity. 15 U.S.C. §§6801-6809 (Opens new window) . Full text of GLBA, including sections not related to consumer financial privacy, is This is an external link to a website belonging to another federal agency, private organization, or commercial entity. here (Opens new window) .
[2] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010).
[3] Dodd-Frank Act §§1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. §§5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority.
[4] 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. §5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).