Note: In addition to the amendment discussed in this letter, your applicable state law still may require annual privacy notices or other privacy notices. See 15 U.S.C. 6807.
Dear Board of Directors and Chief Executive Officer:
you may not have to send another privacy notice this year—as long as you meet the conditions described in this letter.
This letter describes a recent amendment to the Gramm-Leach-Bliley Act (GLBA) that creates a new exception, in certain circumstances, to the statutory requirement that credit unions provide consumers with annual privacy notices. This exception is available to credit unions that have not changed their policies and practices for disclosing nonpublic personal information since they last provided an annual disclosure to consumers, if they meet other specified conditions, discussed below.1
Based on the amendment,
your credit union need not provide an annual privacy notice if:
Your policies and practices have not changed since your credit union provided its most recent privacy notice to consumers; and
You share nonpublic personal information with nonaffiliated third parties only in accordance with requirements for certain existing GLBA exceptions, including those related to:
- Performing services for, or functions on behalf of, the credit union, pursuant to a joint marketing agreement;
- Administering, servicing, or processing a transaction a consumer requests or authorizes; maintaining or servicing certain consumer accounts; or performing securitizations, secondary market sales, or similar transactions; or
- Other specified operational and legal purposes, including disclosure with the consumer’s consent or at the consumer’s direction and disclosure to protect the confidentiality and security of records related to the consumer, service, product, or transaction.2
NCUA examiners have been notified that if your credit union meets the applicable requirements, you need not send annual privacy notices unless and until your credit union no longer meets those requirements.
NCUA examiners will only expect annual privacy notices to be provided if your credit union does
not meet the new requirements described in this letter.
NCUA staff will consult with Consumer Financial Protection Bureau staff as CFPB works to implement the FAST Act’s amendment to GLBA and address interactions with other laws, such as the Fair Credit Reporting Act.3
If you have questions about your credit union’s NCUA examination, please contact NCUA’s Office of Examination and Insurance at
EIMail@NCUA.gov or 703-518-6360, your Examiner, Supervisory Examiner, or Regional Office. If you have questions about Gramm-Leach-Bliley Act requirements related to privacy notices, please contact NCUA’s Office of Consumer Protection at
ComplianceMail@ncua.gov or 703-518-1140.
This letter provides general information about the statutory amendment, but you should review the amendment carefully to determine whether your credit union qualifies for the exception. Title LXXV of the Fixing America’s Surface Transportation Act (FAST Act) amended GLBA requirements related to annual privacy notices. The amendment became effective immediately when signed into law on December 4, 2015. See Pub. L. 114-94; 15 U.S.C. 6803(f). Under GLBA and Regulation P, which implements GLBA, “customer” and “consumer” are defined terms. In some circumstances, privacy notice requirements can apply to certain persons who are not members of a credit union. To reduce confusion, this letter uses the statutory term “consumer” rather than the term “member.”
2See 15 U.S.C. 6802(b)(2), (e).
The Dodd-Frank Wall Street Reform and Consumer Protection Act rescinded NCUA’s rulemaking authority under GLBA and gave rulewriting authority to the Consumer Financial Protection Bureau (CFPB). NCUA repealed its implementing regulation in
12 CFR Part 716, and CFPB published an implementing regulation at
12 CFR Part 1016.