Dear Board of Directors and Chief Executive Officer:
Your credit union can now satisfy requirements to provide annual privacy notices required under the Gramm-Leach-Bliley Act (GLBA) and its implementing regulation, Regulation P, by posting information online.
Such posting would be an alternative to currently permissible methods, which include mailing or hand-delivering a printed notice. This alternative is based on a Final Rule which was recently issued by the Consumer Financial Protection Bureau (CFPB).1
GLBA establishes a comprehensive framework for regulating the disclosure of privacy practices of credit unions and other financial institutions. Among other provisions, GLBA requires financial institutions to provide their customers annual notice of their privacy policies.2
Regulation P, which implements GLBA, establishes ways financial institutions may provide this notice, including by mail and by hand delivery. Until recently, GLBA gave NCUA and various other financial institution regulators authority to issue regulations requiring financial institutions under their supervision to provide annual privacy notices to customers describing how customers’ non-public personal information would be protected and with whom it would be shared.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 consolidated that authority under CFPB.
In late 2011, CFPB consolidated and restated the other agencies’ implementing regulations into its own Regulation P.3
On October 28, 2014, CFPB published in the Federal Register an amendment to Regulation P that makes it easier to access information about a financial institution’s privacy policies any time during the year, and reduces regulatory burden by allowing financial institutions to reduce printing and mailing costs.4
To What Disclosures Does the Final Rule Apply?
Regulatory Tip: You can use the Online Form Builder to develop customized privacy notices.
Under What Conditions Can Your Credit Union Use the New Alternative Delivery Method?
- You do not disclose customers’ nonpublic personal information to nonaffiliated third parties other than for purposes for which Regulation P provides an exception from opt-out requirements,6
- You do not include an “opt out” under the Fair Credit Reporting Act (FCRA) on your annual privacy notice;7
- You previously have satisfied the affiliate marketing provisions of FCRA and its implementing regulation, Regulation V, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements;8
- The information in your most recent privacy notice has not changed other than to eliminate categories of information shared or parties with which you share customer information; and
- You use the form provided in the appendix to Regulation P for your annual privacy notice.
- You must provide the notice in a clear and conspicuous manner on an account statement, coupon book, or a notice or disclosure that you are required or expressly and specifically permitted to issue under any other provision of law;
- The notice must state that your privacy notice has not changed and must include a specific web address that takes the customer directly to the page where the privacy notice is posted; and
- The notice must include a telephone number the customer may call to order a copy of the policy by mail.9
- You must post your current privacy notice continuously and in a clear and conspicuous manner on a page of your website on which the only content is the privacy notice and the customer need not give a login name or password; and
- You must mail your current privacy notice within 10 calendar days of receiving a telephone request.
What Should Your Credit Union Do Next?
- Review the requirements contained in the Final Rule.
- Establish appropriate procedures and controls to ensure you can satisfy the conditions for using the alternative delivery method on a continuous basis.
- Modify your data processing systems and communication tools, as necessary, to generate the prescribed form and content required for the alternative delivery method.
- Monitor NCUA and CFPB announcements for any future amendments or interpretive guidance to Regulation P.
If you prefer to continue delivering annual privacy notices to your customers by the other existing methods contained in Regulation P, you do not need to take any action.
Existing methods include hand-delivering or mailing a printed notice. If a customer uses your website to access financial products and services electronically and agrees to receive notices at the website, another existing method is to post your current annual privacy notice continuously in a clear and conspicuous manner on the website. If the customer has requested that you not send any information about the customer relationship, the customer must be able to receive your current privacy notice upon request.
What Other Resources Are Available?
The full text of Regulation P, as amended by the Final Rule, is available here (opens new window) through the electronic Code of Federal Regulations.
The CFPB announcement of the Final Rule is available here (opens new window).
If you have questions, please contact NCUA’s Office of Consumer Protection at (703) 518-1140 or ComplianceMail@ncua.gov, your regional office, or state supervisory authority.
1 The final rule became effective immediately upon publication in the Federal Register on Oct. 28, 2014.
2 As used in GLBA and Regulation P, “customer” and “consumer” are defined terms, and Regulation P includes illustrations that apply specifically to credit unions. See, e.g., 15 U.S.C. 6809(9), (11) (defining “consumer” and “customer relationship”); 12 CFR 1016.3(e)(1), (3) (defining “consumer” and providing examples in the case of a credit union); 12 CFR 1016.3(i) (defining “customer” to mean a person who has a customer relationship with you); 12 CFR 1016.3(j)(1), (4) (defining “customer relationship” and providing examples of continuing customer relationships in the case of credit unions). A credit union must provide an annual privacy notice to customers—which include certain nonmembers—unless the customer relationship is terminated. See 12 CFR 1016.3(i), (j)(4); 12 CFR 1016.5(a), (b)(1), (b)(4). To reduce confusion, this Regulatory Alert uses the terms “customer” and “consumer” rather than the term “member.”
3 See Privacy of Consumer Financial Information (Regulation P), Interim final rule with request for public comment, 76 FR 79025 (Dec. 21, 2011) (codifying regulations implementing certain GLBA privacy provisions at 12 CFR 1016).
4 The version of the Final Rule published in the Federal Register is available at (opens new window).
5 The Online Form Builder is available at (opens new window). The press release announcing the availability of the Online Form Builder is available at (opens new window).
6 Generally these exemptions are:
- To perform services for you or on your behalf, if you give a consumer required notice and you have an agreement with the third party prohibiting it from using the information for other purposes;
- To effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with:
- Servicing or processing a financial product or service that a consumer requests or authorizes,
- Maintaining or servicing the consumer’s account with you, or with another entity as part of a private label credit card program or other extension of credit on such entity’s behalf, or
- A proposed or actual securitization, secondary market sale, or similar transaction related to a transaction of the consumer;
- Other operational and legal purposes specifically listed in Section 1016.15 of Regulation P, including disclosure with the consent or at the direction of the consumer and to protect the confidentiality or security of your records on the consumer, service, product, or transaction.
7 Such disclosures relate to the ability to opt out of disclosures of information among affiliates. See 12 CFR § 1016.6(a)(7).
8 The affiliate marketing provisions are found in 15 U.S.C. 1681s-3 and subpart C of 12 CFR part 1022.
9 The telephone number does not have to be a toll-free number, nor does it need to be a separate, dedicated line.