CUNA Regulatory Comment Call
February 28, 2000
NCUA’s Proposed Privacy Rules
(MAJOR RULE)
EXECUTIVE SUMMARY
- On February 24, 2000, the NCUA Board approved proposed privacy rules, which apply to federally insured credit unions. Comments are due by March 31, 2000. Please submit your comments to CUNA by March 27, 2000.
- The privacy rules are required under the Financial Services Modernization Act, known as the Gramm-Leach-Bliley Act (Act), which was signed by the President on November 12, 1999.
- Under the Act, the privacy rules must be issued by the appropriate federal agencies by May of this year and will be effective on November 13, 2000, unless a later date is specified in the rules. NCUA’s rules are substantially similar to the rules of the other agencies, with certain exceptions to account for credit union specific issues.
- The draft privacy rules cover the requirements regarding initial and annual notices of privacy policies, the procedures that credit unions must use when providing consumers with the right to "opt out" of certain information disclosures, and the exceptions to the obligation to provide these opt out rights.
DESCRIPTION OF THE PROPOSED PRIVACY RULES
I. Definitions
The proposed rules provide a number of definitions. The following are of particular interest:
Affiliate - This means any company that controls, is controlled by, or under common control with another company. An affiliate of a federal credit union will be a credit union service organization (CUSO) "controlled" by the credit union. "Control" means either control of 25% of any class of stock of another company; control over the election of a majority of directors, trustees, or general partners of another company; or power to exercise a controlling influence over the management or policies of that other company.
Nonaffiliated third party - This means any person or entity except an affiliate or joint employee of the credit union and the nonaffiliate.
Nonpublic personal information - This generally includes all personally identifiable financial information or any listing, description, or grouping of consumers that is derived by using personally identifiable financial information. Although "publicly available information" is excluded, the information is not public unless it is actually obtained from a public source. Other agencies are proposing an alternative where the information will be considered public if it could be obtained from a public source, even if it is obtained from another source. However, under either scenario, the fact that an individual is a credit union member will be considered "nonpublic."
Personally identifiable financial information - This generally means information obtained by a credit union in connection with providing a financial service or product to a consumer. This may include information not previously thought of as "financial," such as health status.
Publicly available information - This includes information available from government records, information required to be disclosed by law, and information contained in "widely available media," which includes print, television, radio, and Internet sites that are available without a password or special fee.
II. Initial Notice of Privacy Policies
An initial notice of the privacy policy must be provided prior to the time that a "continuing relationship" with the consumer is established. This will usually occur when an individual applies for membership. There will also be situations where a nonmember will have a continuing relationship with the credit union. This may occur when a nonmember is a guarantor on a loan, a joint accountholder, establishes a share account at a low-income designated credit union, or where a credit union owns or services a nonmember’s loan.
A continuing relationship is not established by engaging in isolated transactions, such as when a nonmember uses a credit union’s ATM. If the continuing relationship is not established, the initial notice must be provided to the consumer prior to the time that the credit union discloses nonpublic personal information to a nonaffiliated third party. An initial notice under these circumstances will not be required if such information is not disclosed or if such disclosure is allowed under certain exceptions, as described in Section VII below.
Oral descriptions of the information in the notice will not be permitted. In the case of a continuing relationship, the initial notice may be given after the establishment of such a relationship if: 1) the credit union assumes the loan from another institution; or 2) the credit union and the consumer orally agree to enter into the continuing relationship and the consumer agrees to receive the notice at a later time. If a credit union sells a loan but keeps the servicing rights, the credit union will still have a continuing relationship with the borrower.
The initial notice must generally be sent to the consumer. Posting the notice in a branch lobby will not be acceptable. The notice may be sent by e-mail if the consumer agrees and may be posted on a website if the consumer is required to acknowledge receipt prior to obtaining a financial service or product.
III. Annual Notice of Privacy Policies
An annual notice of privacy policies must be provided to members and others with a continuing relationship with the credit union until the time that the relationship is terminated. The annual notice must be sent in the same manner as the initial notice.
IV. Content of the Initial and Annual Notice
The initial and annual notice must provide the following information:
- The categories of nonpublic personal information that are collected and the categories that are disclosed, identified by source and content. For information collected, this may be satisfied if the information is categorized by source, such as application information, transaction information, and credit reports. For information disclosed, this may be satisfied if the information is categorized by source, along with examples of the content of the information.
- The categories of affiliates and nonaffiliated third parties to whom the credit union discloses nonpublic personal information, other than those parties covered under the exceptions described in Section VII below where notice and opt out by the consumer are not required. This may be satisfied if the credit union identifies the types of businesses that these parties are engaged in. This may be described in general terms, such as financial products or services, if the description includes examples of significant lines of businesses, such as mortgage lending or life insurance.
- With regard to consumers who no longer have a continuing relationship, the notice must include categories of nonpublic personal information that are disclosed and the categories of affiliates and nonaffiliated third parties to whom the information is disclosed. Again this does not include those parties covered under the exceptions described in Section VII below where notice and opt out by the consumer are not required.
- With regard to the exception to the opt out requirements for service providers and joint marketing, as described in Section VII below, the notice must include a separate description of the categories of information that are disclosed and the categories of third parties to whom it is disclosed.
- An explanation of the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties and the method by which the opt out may be exercised.
- disclosures of communications made among affiliates as described in the Fair Credit Reporting Act (FCRA); and
- policies and practices with regard to protecting the confidentiality, security, and integrity of nonpublic personal information. This requirement may be satisfied by providing an explanation of who has access to the information, the particular circumstances under which it may be accessed, and measures to protect the information from threats and hazards. Technical information about the safeguards is not required. The Act requires the agencies to establish standards regarding administrative, technical, and physical safeguards. These should be in place when the final rule is issued.
As described in Section VII below, certain nonpublic personal information may be disclosed to nonaffiliated third parties without providing consumers with notice and the right to opt out. For these disclosures, the initial and annual notices need only state that such disclosures are made as permitted by law. The notices may also be based on future categories of information that may be disclosed and future categories of affiliates and nonaffiliated third parties to whom the information may be disclosed to. If the credit union does not intend to disclose nonpublic personal information to affiliates or nonaffiliated third parties, the credit union may just simply state this in the notice.
V. Limitations on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties
Unless an exception applies, as described in Section VII below, nonpublic personal information cannot be disclosed to a nonaffiliated third party unless:
- an initial notice is provided;
- an opt out notice has been provided;
- a reasonable opportunity to opt out of the disclosure has been given; and
- the opt out option has not been exercised.
The credit union may provide the opt out notice by mail but the individual must be given a "reasonable" time to opt out. A 30-day period would satisfy this requirement. Although the credit union may then disclose the information, the consumer may always exercise an opt out at a later time and the credit union must then stop disclosing the information as soon as it is reasonably practicable. However, this may result in information being disclosed to nonaffiliated third parties until the time that the opt out is implemented. For isolated transactions, such as purchase of a traveler’s check, reasonable time is sufficient if the opt out notice is provided at the time of the transaction and the individual is requested, as a necessary part of the transaction, to decide whether to opt out before completing the transaction.
An opt out exercised by a consumer will apply to all information collected, regardless of when the information is collected. The credit union may also allow consumers to exercise a partial opt out of certain nonpublic personal information or certain nonaffiliated third parties.
VI. Form and Method of Providing the Opt Out Notice
The opt out notice must: 1) state that the credit union may or will disclose information to a nonaffiliated third party; 2) state that the individual has a right to opt out of that disclosure; and 3) provide a reasonable means to exercise the opt out option. The notice will be adequate if it identifies the categories of nonpublic personal information that is or may be disclosed in the future and states that the consumer can opt out of the disclosure.
The opt out notice cannot be provided orally. Reasonable means of providing such notice may include check-off boxes, self-addressed stamped replies, or e-mail notifications if the consumer agrees. Requiring consumers to send their own letters will not be considered reasonable. If the credit union orally agrees to enter into a continuing relationship, the opt out may be provided within a reasonable time afterwards if the consumer agrees. The opt out notice may be provided with the initial notice. If it is provided at a later time, a copy of the initial notice must be included.
The following must be provided if the credit union wants to disclose information other than as described in the initial notice:
- a revised notice that states the revised policies and procedures;
- a new opt out notice; and
- a reasonable opportunity to opt out of the disclosure.
The credit union may then disclose the information if the consumer does not opt out within the reasonable time. A revised notice will be required if disclosing a new category of nonpublic personal information to a nonaffiliated third party or disclosing such information to a new category of nonaffiliated third party.
Again, the right to opt out may be exercised at any time and the credit union must promptly comply with the opt out. The opt out will be effective until revoked by the consumer either in writing or electronically.
VII. Exceptions to the Opt Out Requirements
A. Service Providers and Joint Marketing
The opt out requirements will not apply when the credit union provides nonpublic personal information about a consumer to a nonaffiliated third party that performs services for the credit union or functions on the credit union’s behalf. However, the credit union must:
- provide the initial notice of the privacy policies, which includes a description of the information disclosed under this opt out exception; and
- enter into a contract that: 1) requires the third party to maintain confidentiality to the same extent that the credit union is required to do so; and 2) limits the third party’s use of the information solely for the purposes for which it is disclosed, unless otherwise permitted under the other exceptions to the opt out requirements as described below.
The services performed by a nonaffiliated third party under this exception may include the marketing of the credit union’s own products or services or the marketing of financial products or services offered under joint agreements with other financial institutions. "Joint agreement" means a contract where the parties jointly offer, endorse, or sponsor a financial product or service.
B. Transaction Processing
The opt out requirements will also not apply if disclosure of nonpublic personal information is necessary or appropriate in order to administer or enforce a transaction that:
- provides a financial product or service that is authorized by an individual; or
- maintains or services a consumer’s account.
For this exception and the exceptions listed below, the initial and annual notices must still be provided to those with a continuing relationship with the credit union. When referencing these exceptions, the notices need only state that such disclosures are made as permitted by law. Such notices will not have to be provided to those without a continuing relationship with the credit union.
C. Other Exceptions
The following are additional exceptions:
- when disclosure is with the consent or at the direction of the consumer, although the consumer may then revoke the consent by exercising the right to opt out of future disclosures;
- when disclosure is necessary to protect the confidentiality and security of financial records;
- for required institutional risk control or for resolving consumer disputes or inquiries;
- to persons with a legal or beneficial interest or persons acting in a fiduciary or representative capacity;
- to the extent otherwise permitted or required by law;
- to law enforcement agencies, including government regulators;
- to a consumer reporting agency in accordance with the FCRA or from a consumer report provided by a consumer reporting agency; or
- in connection with a proposed or actual sale, transfer, or merger of all or a portion of a business or operating unit if the disclosure concerns only the consumers of the business or unit.
VIII. Reuse of Information
In general, if a credit union receives nonpublic personal information from a nonaffiliated financial institution, it may not then be disclosed to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the receiving credit union. If the credit union discloses nonpublic personal information to a nonaffiliated third party, that third party may not further disclose that information to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the credit union.
Under either situation described above, information received under an exception described in Section VII above may only be used for the purpose of that exception.
IX. No Disclosure of Account Number Information for Marketing Purposes
Other than to a consumer reporting agency, credit unions will not be permitted to disclose account numbers or access codes for credit cards, share accounts, or transaction accounts to any nonaffiliated third parties for marketing purposes.
X. Relation to State Law
State laws, regulations, orders, opinions will still be valid to the extent that they are not inconsistent with these new privacy rules. Inconsistency does not include State protections that are greater than those provided by these new privacy rules, as determined by the Federal Trade Commission, after consultation with NCUA.
XI. Effective Date
The effective date of this rule is contemplated to be November 13, 2000, although NCUA has flexibility to extend this date. Within thirty days after the effective date, credit unions must provide initial notices to those that had a continuing relationship with the credit union as of the effective date.
QUESTIONS TO CONSIDER REGARDING NCUA’s PROPOSED PRIVACY RULES
(Most of these are issues raised by NCUA)
- Do you have any comments regarding the examples provided in the rules? Are there additional examples that would be helpful?
- Are the definitions of "financial product or service" and "financial institution" sufficient? If not, should they be explained further, and if so, how?
- Should CUSOs be affiliates when they are wholly owned by credit unions even if a credit union owns less than 25%? (Ownership above 25% is one indication of control under the proposed rules.) Why?
- For the definition of "publicly available information," other agencies are proposing two alternatives. One would define this term as information that is derived from public sources while the other alternative would define this as information that could be derived from public sources even if it is obtained from an application. Which alternative is best and why? Also, should "nonpublic personal information" cover information about a consumer that contains no indicator of a consumer’s identity? (An example given by NCUA would be disclosure of aggregate information about mortgage loans.)
- The rules prohibit disclosing member lists. There is an issue as to whether this is prohibited in the underlying statute. Should we oppose this prohibition?
- Should the definition of "personally identifiable financial information" be clarified? Currently, this will cover all information provided in connection with obtaining a financial service, such as health status.
- What information should be considered "publicly available," particularly in the context of the Internet?
- Who should receive notices (initial, annual and opt out) when there is a joint account? How can we justify limiting notices to one party? For the opt-out, should credit unions require all joint accountholders to opt out before the opt out is effective? If not, should an opt out from one party apply to all parties on the account? How should a notice and opt out apply to commingled trust accounts where the trustee manages a single account for multiple beneficiaries?
- In general, what will be the regulatory burden of providing initial, annual, and opt out notices and what methods do you anticipate using to provide these notices? How many opt out notices do you expect to deliver and process?
- In general, the initial notice must be provided "prior to" establishing a continuing relationship with a member. Exceptions are when the member agrees or in situations when a loan is assumed. What other exceptions, if any, should we request? Should we oppose the "prior to" language since the Act only requires the notice "at the time of establishing" the relationship?
- Under what circumstances would it be impractical to provide notices by mail? Should and how can we argue that providing notices in the branch would be sufficient unless the member objects or otherwise does not visit the branch on a regular basis?
- One example of when an account relationship has been terminated is when it is "dormant." Should "dormant" be determined by the credit union’s policy or by state law? Should the standard regarding "dormant" accounts apply to both members and nonmembers?
- For certain exceptions to the opt out requirements, the initial and annual notice need only state that the credit union makes such disclosures as permitted by law to nonaffiliated third parties. Is this adequate? (Note: This "abbreviated" type of disclosure does not apply to the exception for service providers/joint marketing.)
- For indirect lending, what should be the credit union’s responsibility for ensuring that other entities, like auto dealers, are providing the appropriate notices at the appropriate time?
- The rules state that giving consumers at least a 30-day period to exercise an opt out is reasonable. Do you agree? Would an example in the context of an electronic medium be helpful?
- If a credit union and consumer orally agree to enter into a continuing relationship and the credit union wants to disclose information, an opt out notice may be given at a reasonable time afterwards if the consumer agrees. Should there be a time limit for providing the notice in this context?
- There appears to be confusion regarding the providing of a "stamped" reply when providing the opt out notice. It is unclear whether this is required or is just an example. Should we oppose the idea of providing a "stamped" reply with an argument regarding the cost burden?
- For the service provider/joint marketing exception to the opt out requirements, the rules state that credit unions must "fully disclose" that it will provide this information to nonaffiliated third parties. Do the rules appropriately implement the "fully disclose" requirement as described in the Act?
- Under the service provider/joint marketing exception, the credit union must enter into a contract with the third party to ensure confidentiality of the information. How would this apply to credit scoring vendors that evaluate creditworthiness? Would this prevent the vendor from using the members’ information, without indicators of personal identity, to revalidate the model? Would using the information in this manner be beyond the immediate purpose of determining the borrower’s ability to perform?
- For the service provider/joint marketing exception, should there be additional requirements regarding the disclosure of the information? Should credit unions be required to take steps to ensure that joint marketed products pose no undue risks on the credit union? Should the rules require that the credit unions’ sponsorship of the product or service be evident in the marketing of that service or product? Should there be other requirements to protect privacy? Should there be examples of the types of "joint agreements" that are covered?
- One exception to the opt out requirements is for disclosures made with the consent of the consumer. Should there be safeguards to minimize the potential for consumer confusion? Examples given by NCUA include a requirement that consent be written, or that it be indicated on a separate line in a relevant document or on a distinct Web page.
- When a credit union discloses nonpublic personal information to a nonaffiliated third party, the third party may not redisclose that information to another third party unless the disclosure would have been "lawful" if made directly by the credit union. Should credit unions be required to develop procedures to ensure that third parties comply with the limits on redisclosure?
- Under the service provider/joint marketing exception, credit unions must comply with certain requirements. Can subsequent disclosures by the third party be considered "lawful" when the credit union is not a party to the subsequent disclosure?
- The rules contain a strict prohibition on disclosing account numbers for marketing purposes. Does the Act prohibit disclosure of encrypted account numbers to a marketing firm if the marketer does not receive the key to decrypt the number? Would the strict prohibition disrupt certain routine practices, such as disclosing account numbers to service providers who handle monthly account statements along with a request by the credit union to include literature about a product? Should members be permitted to consent to the disclosure of their account numbers? If so, what standards should apply to protect the member? For example, should the number be encrypted?
- The final rules will be approved in early May and will effective as of November 13, 2000. Will the six month period between May and November be enough time for you to comply with the rules? If not, how much time will be needed? Will you be able to provide an initial notice to your current members within 30 days after the effective date of the rules? If not, how much time will be needed?
|
Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com |
