• Regulatory Advocacy Reports
• Comment Calls
• Comment Letters
• Final Rule Analyses
• NCUA Board Meetings
• Regulatory Advocacy Podcasts
• Additional Resources
• Regulatory Advocacy Home

CUNA Regulatory Comment Call

February 7, 2000

Joint Privacy Rules from the Fed, OCC, FDIC & OTS

EXECUTIVE SUMMARY

• On February 3, 2000, the Federal Reserve Board (Fed) approved the proposed privacy rules that will be issued jointly from the Fed, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision.
• The privacy rules are required under the Financial Services Modernization Act, known as the Gramm-Leach-Bliley Act (Act), which was signed by the President on November 12, 1999
• Under the Act, the privacy rules must be issued by the appropriate federal agencies by May of this year and will be effective within six months after they are issued, unless a later date is specified in the regulations. The NCUA Board will consider its proposed rules at a meeting on February 24th. These rules will be substantially similar to the rules of the other agencies, but will contain differences to account for credit union specific issues.
• NCUA’s comment period will end in late March or early April. CUNA will issue a Regulatory Comment Call immediately after the rules are approved by the NCUA Board.
• The draft privacy rules cover the requirements regarding initial and annual notices of privacy policies, the procedures that financial institutions must use when providing consumers with the right to “opt out” of certain information disclosures, and the exceptions to the obligation to provide these opt out rights.
• If you need additional information or a copy of the proposed privacy rules, or would like to provide comments at this time, please contact Assistant General Counsel Jeffrey Bloch at jbloch@cuna.com, or by telephone at (202) 218-7795, or Associate General Counsel Kathy Thompson at kthompson@cuna.com, or by telephone at (202) 218-7770. Contact Jeff if you would like a copy sent to you.

DESCRIPTION OF THE JOINT PRIVACY RULES

I. Definitions

The draft regulations provide a number of definitions. The following are of particular interest:

Affiliate - This means any company that controls, is controlled by, or under common control with another company. “Control” means either control of 25% of any class of stock of another company; control over the election of a majority of directors, trustees, or general partners of another company; or power to exercise a controlling influence over the management or policies of that other company.

Nonaffiliated third party – This means any person or entity except an affiliate or joint employee of the institution and the nonaffiliate.

Nonpublic personal information – This generally includes all personally identifiable financial information or any listing, description, or grouping of consumers that is derived by using personally identifiable financial information. Although “publicly available information” is excluded, the joint rules provide two alternatives regarding this exclusion. Under one alternative, information is not public unless it is actually obtained from a public source while under the other alternative, the information is public if it could be obtained from a public source, even if it is obtained from another source. However, under either alternative, the fact that an individual is a bank customer, or credit union member, will be considered “nonpublic.”

Personally identifiable financial information - This generally means information obtained by a financial institution in connection with providing a financial service or product to a consumer

Publicly available information - This includes information available from government records, information required to be disclosed by law, and information contained in “widely available media,” which includes print, television, radio, and Internet sites that are available without a password or special fee.

II. Initial Notice of Privacy Policies

An initial notice of the privacy policy must be provided prior to the time that a “continuing relationship” with the consumer is established. (A continuing relationship is not established by engaging in isolated transactions, such as using an ATM or purchasing travelers checks or cashier’s checks from an institution where the consumer has no account.) If the continuing relationship is not established, the initial notice must be provided to the consumer prior to the time that the financial institution discloses nonpublic personal information to a nonaffiliated third party. An initial notice under these circumstances will not be required if such information is not disclosed or if such disclosure is allowed under certain exceptions, as described in Section VII below.

Oral descriptions of the information in the notice will not be permitted. In the case of a continuing relationship, the initial notice may be given after the establishment of such a relationship if: 1) the financial institution assumes the loan or deposit from another institution; or 2) the institution and the consumer orally agree to enter into the continuing relationship and the consumer agrees the receive the notice at a later time. If an institution sells a loan but keeps the servicing rights, the selling institution will still have a continuing relationship with the borrower.

The initial notice must generally be sent to the consumer. Posting the notice in a branch lobby will not be acceptable. The notice may be sent by e-mail if the consumer agrees and may be posted on a website if the consumer is required to acknowledge receipt prior to obtaining a financial service or product.

III. Annual Notice of Privacy Policies

An annual notice of privacy policies must be provided to consumers with a continuing relationship with the financial institution until the time that the relationship is terminated. The annual notice must be sent in the same manner as the initial notice.

IV. Content of the Initial and Annual Notice

The initial and annual notice must provide the following information:

• The categories of nonpublic personal information that are collected and the categories that are disclosed, identified by source and content. For information collected, this may be satisfied if the information is categorized by source, such as application information, transaction information, and consumer report information. For information disclosed, this may be satisfied if the information is categorized by source, along with examples of the content of the information.
• The categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information, other than those parties covered under the exceptions described in Section VII below where notice and opt out by the consumer are not required. This may be satisfied if the financial institution identifies the types of businesses that these parties are engaged in. This may be described in general terms, such as financial products or services, if the description includes examples of significant lines of businesses, such as retail banking, mortgage lending, or life insurance.
• With regard to consumers who no longer have a continuing relationship, the notice must include categories of nonpublic personal information that are disclosed and the categories of affiliates and nonaffiliated third parties to whom the information is disclosed. Again this does not include those parties covered under the exceptions described in Section VII below where notice and opt out by the consumer are not required.
• With regard to the exception to the opt out requirements for service providers and joint marketing, as described in Section VII below, the notice must include a separate description of the categories of information that are disclosed and the categories of third parties to whom it is disclosed.
• An explanation of the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties and the method by which the opt out may be exercised.
• disclosures of communications made among affiliates as described in the Fair Credit Reporting Act (FCRA); and
• policies and practices with regard to protecting the confidentiality, security, and integrity of nonpublic personal information. This requirement may be satisfied by providing an explanation of who has access to the information, the particular circumstances under which it may be accessed, and measures to protect the information from threats and hazards. Technical information about the safeguards is not required. The Act requires the appropriate federal agencies to establish standards regarding administrative, technical, and physical safeguards.

As described in Section VII below, certain nonpublic personal information may be disclosed to nonaffiliated third parties without providing consumers with notice and the right to opt out. For these disclosures, the initial and annual notices need only state that such disclosures are made as permitted by law. The notices may also be based on future categories of information that may be disclosed and future categories of affiliates and nonaffiliated third parties to whom the information may be disclosed to. If the financial institution does not intend to disclose nonpublic personal information to affiliates or nonaffiliated third parties, the institution may just simply state this in the notice.

V. Limitations on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties

Unless an exception applies, as described in Section VII below, nonpublic personal information cannot be disclosed to a nonaffiliated third party unless:

• an initial notice is provided;
• an opt out notice has been provided;
• a reasonable opportunity to opt out of the disclosure has been given; and
• the opt out option has not been exercised.

The financial institution may provide the opt out notice by mail but the individual must be given a “reasonable” time to opt out. A 30-day period would satisfy this requirement. Although the institution may then disclose the information, the consumer may always exercise an opt out at a later time and the institution must then stop disclosing the information as soon as it is reasonably practicable. For isolated transactions, such as purchase of a cashier’s check, reasonable time is sufficient if the opt out notice is provided at the time of the transaction and the individual is requested, as a necessary part of the transaction, to decide whether to opt out before completing the transaction.

An opt out exercised by a consumer will apply to all information collected, regardless of when the information is collected. The financial institution may also allow consumers to exercise a partial opt out of certain nonpublic personal information or certain nonaffiliated third parties.

VI. Form and Method of Providing the Opt Out Notice

The opt out notice must: 1) state that the financial institution may or will disclose information to a nonaffiliated third party; 2) state that the individual has a right to opt out of that disclosure; and 3) provide a reasonable means to exercise the opt out option.

The opt out notice cannot be provided orally. Reasonable means of providing such notice may include check-off boxes, self-addressed stamped replies, or e-mail notifications if the consumer agrees. Requiring consumers to send their own letters will not be considered reasonable. If the financial institution orally agrees to enter into a continuing relationship, the opt out may be provided within a reasonable time afterwards if the consumer agrees. The opt out notice may be provided with the initial notice. If it is provided at a later time, a copy of the initial notice must be included.

The following must be provided if the financial institution wants to disclose information other than as described in the initial notice:

• a revised notice that states the revised policies and procedures;
• a new opt out notice; and
• a reasonable opportunity to opt out of the disclosure.

The institution may then disclose the information if the consumer does not opt out within the reasonable time. A revised notice will be required if disclosing a new category of nonpublic personal information to a nonaffiliated third party or disclosing such information to a new category of nonaffiliated third party.

Again, the right to opt out may be exercised at any time and the financial institution must comply with the opt out as soon as reasonably practicable. The opt out will be effective until revoked by the consumer either in writing or electronically.

VII. Exceptions to the Opt Out Requirements

A. Service Providers and Joint Marketing

The opt out requirements will not apply when the financial institution provides nonpublic personal information about a consumer to a nonaffiliated third party that performs services for the institution or functions on the institution’s behalf. However, the institution must:

• provide the initial notice of the privacy policies; and
• enter into a contract that: 1) requires the third party to maintain confidentiality to the same extent that the financial institution is required to do so; and 2) limits the third party’s use of the information solely for the purposes for which it is disclosed, unless otherwise permitted under the other exceptions to the opt out requirements as described below.

The services performed by a nonaffiliated third party under this exception may include the marketing of the institution’s own products or services or the marketing of financial products or services offered under joint agreements with other financial institutions. “Joint agreement” means a contract where the parties jointly offer, endorse, or sponsor a financial product or service.

B. Transaction Processing

The opt out requirements will also not apply if disclosure of nonpublic personal information is necessary or appropriate in order to administer or enforce a transaction that:

• provides a financial product or service that is authorized by an individual; or
• maintains or services a consumer’s account.

For this exception, and the exceptions listed below, the initial and annual notices must still be provided to those with a continuing relationship with the financial institution. When referencing these exceptions, the notices need only state that such disclosures are made as permitted by law. Such notices will not have to be provided to those without a continuing relationship with the institution.

C. Other Exceptions

The following are additional exceptions:

• when disclosure is with the consent or at the direction of the consumer, although the consumer may then revoke the consent by exercising the right to opt out of future disclosures;
• when disclosure is necessary to protect the confidentiality and security of financial records;
• for required institutional risk control or for resolving consumer disputes or inquiries;
• to persons with a legal or beneficial interest or persons acting in a fiduciary or representative capacity;
• to the extent otherwise permitted or required by law;
• to law enforcement agencies, including government regulators;
• to a consumer reporting agency in accordance with the FCRA or from a consumer report provided by a consumer reporting agency; or
• in connection with a proposed or actual sale, transfer, or merger of all or a portion of a business or operating unit if the disclosure concerns only the consumers of the business or unit.

VIII. Reuse of Information

In general, if a financial institution receives nonpublic personal information from a nonaffiliated financial institution, it may not then be disclosed to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the receiving institution. If the institution discloses nonpublic personal information to a nonaffiliated third party, that third party may not further disclose that information to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the institution.

Under either situation described above, information received under an exception described in Section VII above may only be used for the purpose of that exception.

IX. No Disclosure of Account Number Information for Marketing Purposes

Other than to a consumer reporting agency, financial institutions will not be permitted to disclose account numbers or access codes for credit cards, deposit accounts, or transaction accounts to any nonaffiliated third parties for marketing purposes.

X. Relation to State Law

State laws, regulations, orders, opinions will still be valid to the extent that they are not inconsistent with these new privacy rules. Inconsistency does not include State protections that are greater than those provided by these new privacy rules, as determined by the Federal Trade Commission, after consultation with the appropriate regulatory agency.

XI. Effective Date

The effective date of this rule is contemplated to be November 13, 2000, although federal agencies have flexibility to extend this date. Within thirty days after the effective date, financial institutions must provide initial notices to those that had a continuing relationship with the institution as of the effective date.