Eric Richard, General Counsel
Credit Union National Association, Inc.
805 15th Street, N.W.
Washington, D.C. 20005-2207
Re: Proposed Rule Implementing the Fair Credit Reporting Act.
Dear Mr. Richards:
You have inquired about the status of our proposed fair credit reporting rule issued by the NCUA Board last fall and asked questions regarding the application of the Fair Credit Reporting Act (FCRA) to consumer privacy notices.
Our consumer privacy regulation requires that a credit union’s initial and annual notices contain any disclosures the credit union must make under FCRA about information sharing with affiliates. 12 C.F.R. §716.6(a)(7). The compliance date for the consumer privacy regulation is July 1, 2001, but a final fair credit regulation will not be issued before early April. Early April is the time when those credit unions that do quarterly mailings may want to send their consumer privacy notices to avoid doing a second mailing before July 1. We appreciate the questions this raises for credit unions and hope that the following responses to your questions will be helpful.
When do you expect a final fair credit reporting regulation to be adopted?
We anticipate that the NCUA Board will publish a second Notice of Proposed Rulemaking (NPR) in late spring and a final rule, at the earliest, in late fall. As you are aware, NCUA has been working on this regulation with an interagency group that includes all the other financial institution regulators. Last October, the NCUA and the other agencies issued NPRs regarding the affiliate information sharing provisions of FCRA. The comment letters received by the NCUA and the other agencies raised numerous issues. At this time, the interagency group believes it may be appropriate to address some of these issues in greater detail and solicit additional comment through a second NPR.
In the absence of a fair credit reporting rule, how does an FCU [federal credit union] include the FCRA disclosures in its privacy notice?
Credit unions were subject to FCRA disclosure requirements even before NCUA and the other federal regulators received authority to issue a fair credit reporting rule in the recently enacted Gramm-Leach-Bliley Act (GLBA). Thus, even without a new rule, credit unions should continue to provide the disclosure and notice of a right to opt out that FCRA has required.
Briefly summarized, FCRA requires a credit union to “clearly and conspicuously” disclose to consumers if it communicates certain credit information to its affiliates and provide an opportunity to opt out of the disclosure. 15 U.S.C. §1681(d)(2)(A)(iii). Credit unions that only communicate information about their own “transactions or experiences” with a consumer may communicate this information to any person without providing a disclosure. 15 U.S.C. §1681(d)(2)(A)(i)-(ii). A credit union that must give the notice and an opportunity to opt out must do so before it communicates information to an affiliate. Credit unions may continue to use interpretations issued by the Federal Trade Commission (FTC) for guidance as, prior to GLBA, the FTC had sole interpretive authority for FCRA.
You have asked only about the FCRA disclosure that credit unions must include in their consumer privacy notice. Credit unions should also keep in mind that there may be persons entitled to a notice and right to opt out under FCRA but to whom the credit union may not be required to send a notice under our privacy regulation. Credit unions must comply with FCRA whenever they furnish consumer credit information to third parties. For example, a credit union may have credit information about potential or current employees who are not members. If a credit union makes disclosures of this information to third parties, it must provide the disclosure and notices required by FCRA to these individuals as well.
Who is considered an affiliate for the purposes of FCRA disclosures?
An affiliate, in the credit union context, is a credit union service organization (CUSO). As you know, our consumer privacy regulation provides a definition for affiliate and, because that definition is based on the notion of control, also provides a definition for control. 12 C.F.R. §716.3(a), (g). Both the consumer privacy regulation and FCRA apply to credit union disclosure of consumer information. Unless and until a final fair credit regulation provides a different analysis, we believe it is appropriate and will provide consistency for credit unions to rely on the definition for affiliate and the related definition of control in the consumer privacy regulation for purposes of determining their compliance with FCRA.
What are examiner expectations with regard to the FCRA disclosures in FCU privacy notices?
Briefly stated, NCUA expects credit unions to comply with the requirements of FCRA, which, as noted above, requires disclosure to consumers of certain credit information it communicates to its affiliates and notice of an opportunity to opt out. We suggest that you may want to consult with the Office of Examination and Insurance on this question because it is that office that is responsible for formulating standards and procedures for examination and supervision.
Finally, we want to note the different roles and responsibilities that NCUA has under its consumer privacy regulation and FCRA. NCUA’s consumer privacy regulation, which as discussed in this letter requires that notices contain certain FCRA disclosures, applies to all federally-insured credit unions. 12 C.F.R. §716.1(b).
NCUA’s responsibility for enforcement and implementation of FCRA through regulations, however, is only for federal credit unions. 15 U.S.C. §1681s(b)(3), (e)(2). State-chartered credit unions are under the jurisdiction of the FTC. 15 U.S.C. §1681s(a)(1).
Sheila A. Albin
Associate General Counsel