Privacy of Consumer Financial Information (Regulation P)

Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) [1] governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) [2] granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction. [3] In December 2011 the CFPB re-codified in Regulation P, 12 CFR Part 1016, the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (FTC), the NCUA, the OCC, and the former OTS. [4]

On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information. [5] The final rule adopting the model privacy form was effective on December 31, 2009.

On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circumstances. [6] The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions.

As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act [7] (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.

There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice.

Under the authority of GLBA and the Fair Credit Reporting Act, NCUA issued the Guidelines for Safeguarding Member Information, 12 CFR Part 748, Appendix A (Security Guidelines). The Security Guidelines require a credit union to establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of information. The Security Guidelines impose requirements separate from the privacy requirements of GLBA and Regulation P and address safeguarding the confidentiality and security of information and ensuring proper disposal of information. The Security Guidelines are directed toward preventing and responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that credit unions must contractually require their affiliated and non-affiliated third party service providers that have access to the credit union’s data containing personal information to protect that information. NCUA has also released the IT Security Compliance Guide, which is intended to help credit unions comply with the Security Guidelines.

Full text of Regulation P can be found here

GLBA can be found here


Associated Risks

Compliance Risk can occur when the credit union fails to implement the necessary controls to comply with Regulation P.

Reputation Risk can occur when members of the credit union learn of its failure to comply with Regulation P.

Examination Objectives

  • To assess the quality of the credit union’s compliance management policies, procedures, and internal controls for implementing the regulation, specifically ensuring consistency between what the credit union tells consumers in its notices about its policies and practices and what it actually does.
  • To determine the reliance that can be placed on the credit union’s policies, procedures, and internal controls for monitoring the credit union’s compliance with the regulation.
  • To determine the credit union’s compliance with the regulation, specifically in meeting the following requirements:
    • Providing members notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each member can reasonably be expected to receive actual notice;
    • Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving members notice and the right to opt out;
    • Appropriately honoring member opt out directions;
    • Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
    • Disclosing account numbers only according to the limits in the regulation.
  • To initiate effective corrective actions when violations of law are identified, or when policies, procedures, or internal controls are deficient.

Examination Procedures [8]

  1. Through discussions with management and review of available information, identify the credit union’s information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
    1. Notices (initial, annual, revised, opt-out, short-form, and simplified);
    2. Credit union privacy policies, procedures, and internal controls, including those to:
      1. Process requests for nonpublic personal information, including requests for aggregated information;
      2. Deliver notices to consumers;
      3. Manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
      4. Prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
      5. Prevent the unlawful disclosure of account numbers;
    3. Information sharing agreements between the credit union and affiliates and service agreements or contracts between the credit union and nonaffiliated third parties either to obtain or provide information or services;
    4. Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under § 1016.13 are met and whether the credit union is disclosing account number information in violation of § 1016.12);
    5. Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including information collected electronically through Internet cookies; or through ATM transactions);
    6. Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party;
    7. Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically;
    8. Records that reflect the bank’s categorization of its information sharing practices under § 1016.13, § 1016.14, 1016.15, and outside of these exceptions; and
    9. Results of a 501(b) (15 U.S.C. 6801(b)) inspection (used to determine the accuracy of the credit union’s privacy disclosures regarding information security).
  2. Use the information gathered from step A to work through the “Privacy Notice and Opt-Out Decision Tree” (Attachment A). Identify which module(s) of procedures is (are) applicable.
  3. Use the information gathered from step A to work through the Redisclosure and Reuse and Account Number Sharing Decision Trees, as necessary (Attachments B and C). Identify which module is applicable.
  4. Determine the adequacy of the credit union’s policies, procedures, and internal controls to ensure compliance with the regulation as applicable. Consider the following:
    1. Sufficiency of internal policies, procedures, and internal controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
    2. Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
    3. Frequency and effectiveness of monitoring procedures;
    4. Adequacy and regularity of the credit union’s training program;
    5. Suitability of the compliance audit program for ensuring that:
      1. The procedures address all regulatory provisions as applicable;
      2. The work is accurate and comprehensive with respect to the credit union’s information sharing practices;
      3. The frequency is appropriate;
      4. conclusions are appropriately reached and presented to responsible parties;
      5. Steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
        1. Knowledge level of management and personnel.
  5. Ascertain areas of risk associated with the credit union’s sharing practices (especially those within § 1016.13 and those that fall outside of the exceptions) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
  6. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the credit union’s compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to citations within the regulation. Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
  7. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
  8. Formulate conclusions.
    1. Summarize all findings.
    2. For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
    3. Identify action needed to correct violations and to address weaknesses in the credit union’s compliance system, as appropriate.
    4. Discuss findings with management and obtain a commitment for corrective action.

PRIVACY NOTICE AND OPT OUT DECISION TREE

See alternative text below

Alternative Text

Does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.14 and/or § 1016.15 and outside of the exceptions (with or without also sharing under § 1016.13)?

If yes, then Module 1,

  • Privacy notice (presentation, content, and delivery) (with or without § 1016.13 notice & contracting)
  • Short form notice (optional for consumers)
  • Customer notice delivery rules
  • Opt out rules

Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.13, and § 1016.14 and/or § 1016.15 but not outside the exceptions?

If yes, then Module 2,

Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties only under § 1016.14 and /or § 1016.15?

If yes, then Module 3,

  • Privacy notice
  • Simplified notice (if applicable)
  • Customer notice delivery rules

REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION RECEIVED FROM NONAFFILIATED FINANCIAL INSTITUTIONS DECISION TREE (§§ 1016.11(a) and 1016.11(b))

See alternative text below

Alternative Text

Does the credit union receive nonpublic personal information from nonaffiliated financial institutions? If no, then no review necessary.

If yes, how is that information received? 

If under §§ 1016.14 and/or 1016.15, then Module 4 receipt of information under §§ 1016.14 and/or 1016.15

If Outside of §§ 1016.14 and/or 1016.15, Module 5 receipt of information outside of §§ 1016.14 and/or 1016.15.

ACCOUNT NUMBER SHARING DECISION TREE
(§ 1016.12)

See alternative text below

Alternative Text

Does the credit union share account numbers or similar access numbers or codes with nonaffiliated third parties (other than a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing?

If no, then no review necessary. This may include sharing of encrypted account numbers but not the decryption key. 

If yes, then Module 6 Account number sharing.

Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.14 and/or 1016.15 and outside of the exceptions

(With or without also sharing under § 1016.13)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the regulation.

Note: As of December 4, 2015, a financial institution is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P § 1016.14 and § 1016.15) or regulations prescribed under GLBA section 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503. A financial institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution’s compliance with disclosure limitations.
      1. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers (both members and those who are not members) in its notices about its policies and practices in this regard, and what the institution actually does, are consistent (§ 1016.6, § 1016.10).
      2. Compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§ 1016.10).
    2. If the credit union also shares information under § 1016.13, obtain and review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in § 1016.14 or § 1016.15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§ 1016.13).
  2. Presentation, Content, and Delivery of Privacy Notices
    1. Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
      1. Are clear and conspicuous (§ 1016.13, § 1016.14, § 1016.5(a)(1), § 1016.8(a)(1));
      2. Accurately reflect the credit union’s policies and practices (§ 1016.4(a), § 1016.5(a)(1), § 1016.8(a)(1)). Note: this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§ 1016.6). Note that if the credit union shares under nonpublic personal information under § 1016.13 the notice provisions for that section shall also apply.
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.4(a), § 1016.7(c), § 1016.8(a)); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9).
      3. For members only, review the timeliness of delivery (§ 1016.4(d), § 1016.4(e), § 1016.5(a)), means of delivery of annual notice (§ 1016.9(c)), and accessibility of or ability to retain the notice (§ 1016.9(e)).
  3. Opt-Out Right
    1. Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
      1. Are clear and conspicuous (§ 1016.3(b) and § 1016.7(a)(1));
      2. Accurately explain the right to opt-out (§ 1016.7(a)(1));
      3. Include and adequately describe the three required items of information (the credit union’s policy regarding disclosure of nonpublic personal information, the consumer’s opt-out right, and the means to opt-out) (§ 1016.7(a)(1)); and
      4. Describe how the credit union treats joint relationships, as applicable (§ 1016.7(e)).
      5. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide the opt-out notice and comply with opt- out directions of consumers (members and those who are not members), as appropriate. Assess the following:
      6. Timeliness of delivery (§ 1016.10(a)(1));
      7. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9);
      8. Reasonableness of the opportunity to opt-out (the time allowed to and the means by which the consumer may opt-out) (§ 1016.10(a)(1)(iii), § 1016.10(a)(3)); and
      9. Adequacy of procedures to implement and track the status of a consumer's (members and those who are not members) opt-out direction, including those of former members (§ 1016.7(e-g)).
  4. Checklist Cross References – Module 1
    Checklist Cross References – Module 1

    Regulation Section

    Subject

    Checklist Questions

    1016.4(a), 1016.6(a, b, c, e), and 1016.9(a, b, g) Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 41
    1016.4(a, c, d, e), 1016.5, and 1016.9(c, e) Customer notice delivery rules 1, 3-7, 37-39
    1016.13 § 1016.13 notice and contracting rules (as applicable) 12, 48
    1016.6(d) Short form notice rules (optional for consumers only) 15-17
    1016.7, 1016.8, and 1016.10 Opt-out rules 19-34, 42-44
    1016.14 and 1016.15 Exceptions 49-51

Sharing nonpublic personal information with nonaffiliated third parties under § 1016.13, and § 1016.14 and/or § 1016.15 but not outside of these exceptions

Note: As of December 4, 2015, a financial institution is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P § 1016.14 and § 1016.15) or regulations prescribed under GLBA section 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503. A financial institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. A. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§ 1016.13, 1016.14, 1016.15).
      2. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers in its notices about its policies and practices in this regard and what the credit union actually does are consistent (§§ 1016.6, 1016.10).
      3. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
    2. Review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ 1016.14 or 1016.15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§1016.13(a)).
  2. B. Presentation, Content, and Delivery of Privacy Notices
    1. Review the credit union’s initial and annual privacy notices. Determine whether or not they:
      1. Are clear and conspicuous (§§ 1016.3(b), 1016.4(a), 1016.5(a)(1));
      2. Accurately reflect the institution’s policies and practices (§§ 1016.4(a), 1016.5(a)(1)). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§§ 1016.6, 1016.13).
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.4(a)); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9).
      3. For members only, review the timeliness of delivery (§§ 1016.4(d), 1016.4(e), and 1016.5(a)), means of delivery of annual notice (§ 1016.9(c)), and accessibility of or ability to retain the notice (§ 1016.9(e)).
  3. Checklist Cross References – Module 2
    Checklist Cross References – Module 2

    Regulation Section

    Subject

    Checklist Questions

    1016.4(a), 1016.6(a, b, c, e), and 1016.9(a, b, i) Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 41
    1016.4(a, c, d, e), 1016.5, and 1016.9(c, e) Customer notice delivery rules 1, 3-7, 37-39
    1016.13 Exceptions to Opt-Out 12, 48
    1016.14 and 1016.15 Exceptions 49-51

Sharing nonpublic personal information with nonaffiliated third parties only under §§ 1016.14 and/or 1016.15

NOTE: This module applies only to members.

Note: As of December 4, 2015, a financial institution is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P §§ 1016.14 and 1016.15) or regulations prescribed under GLBA section 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503. A financial institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.
  2. Presentation, Content, and Delivery of Privacy Notices
    1. Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of §§ 1016.14 and 1016.15 exceptions. Determine whether or not these notices:
      1. Are clear and conspicuous (§§ 1016.3(b), 1016.4(a), 1016.5(a)(1));
      2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a), 1016.5(a)(1)). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information (§ 1016.6).
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written member records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to members, as appropriate. Assess the following:
      1. Timeliness of delivery (§§ 1016.4(a), 1016.4(d), 1016.4(e), 1016.5(a)); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the member agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9) and accessibility of or ability to retain the notice (§ 1016.9(e)).
  3. Checklist Cross References – Module 3
    Checklist Cross References – Module 3

    Regulation Section

    Subject

    Checklist Questions

    1016.4 (a, d, e), 1016.5, and 1016.9 Member notice delivery process 1, 3-7, 35-41
    1016.6 Member notice content and presentation 8-11, 14, 18
    1016.6 (c)(5) Simplified notice content (optional) 13
    1016.14 and 1016.15 Exceptions 49-51

Redisclosure and Reuse of nonpublic personal information received from a nonaffiliated financial institution under § 1016.14 and/or § 1016.15

  1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure and reuse of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(a)).
  2. Select a sample of information received from nonaffiliated financial institutions, to evaluate the credit union’s compliance with redisclosure and reuse limitations.
    1. Verify that the credit union’s redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(a)(1)(i) and (ii)).
    2. Verify that the credit union only uses and shares the information pursuant to an exception in § 1016.14 and § 1016.15 (§ 1016.11(a)(1)(iii)).
  3. Checklist Cross References – Module 4
    Checklist Cross References – Module 4

    Regulation Section

    Subject

    Checklist Question

    1016.11(a) Redisclosure and reuse 45
    1016.14, 1016.15 Exceptions 49-51

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of § 1016.14 and 1016.15

  1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(b)).
  2. Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the credit union’s compliance with redisclosure limitations.
    1. Verify that the credit union’s redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(b)(1)(i) and (ii)).
    2. If the credit union shares information with entities other than those under step 1 above, verify that the credit union’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice (§ 1016.11(b)(1)(iii)).
    3. Also, review the procedures used by the credit union to ensure that the information sharing reflects the opt-out status of the consumers of the nonaffiliated financial institution (§ 1016.10, § 1016.11(b)(1)(iii)).
  3. Checklist Cross References – Module 5
    Checklist Cross References – Module 5

    Regulation Section

    Subject

    Checklist Question

    1016.11(b) Redisclosure 46

Account number sharing

  1. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the credit union’s members (§ 1016.12(a)).
  2. Obtain and review a sample of contracts with agents or service providers to whom the credit union discloses account numbers for use in connection with marketing the credit union's own products or services. Determine whether the credit union shares account numbers with nonaffiliated third parties only to perform marketing for the credit union’s own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to the accounts (§ 1016.12(b)(1)).
  3. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the member when the member enters into the program (§ 1016.12(b)(2)).
  4. Checklist Cross References – Module 6
    Checklist Cross References – Module 6

    Regulation Section

    Subject

    Checklist Question

    1016.12 Account number sharing 47

PRIVACY OF CONSUMER FINANCIAL INFORMATION
(REGULATION P)
CHECKLIST

SUBPART A

Initial Privacy Notice

Initial Privacy Notice
Item Description Yes No N/A
1 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section 4 of the regulation? [§ 1016.4(a)(1))]

(Note: A credit union establishes a customer relationship when it enters into a continuing relationship with the consumer. [§ 1016.4(c)(1)] With respect to credit relationships, a credit union establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§1016.4(c)(2)] Customer relationships in credit unions may include nonmembers. [§ 1016.4(c)(3)(iii))
     
2 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§1016.14 or 1016.15? [§ 1016.4(a)(2)]

(Note: No notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in §§ 1016.14 and 1016.15, and there is no customer relationship. [§ 1016.4(b)])
     
3 Does the credit union provide to existing customers, who obtain a new financial product or service, a revised privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service?
[§ 1016.4(d)(1)]
     
4 Does the credit union provide initial notice after establishing a customer relationship only if: N/A N/A N/A
4(a) The customer relationship is not established at the customer's election; [§ 1016.4(e)(1)(i)] or      
4(b) To do otherwise would substantially delay the customer’s transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery?
[§ 1016.4(e)(1)(ii)]
     
5 When the subsequent delivery of a privacy notice is permitted, does the credit union provide notice after establishing a customer relationship within a reasonable time? [§ 1016.4(e)]      

Annual Privacy Notice

Annual Privacy Notice
Item Description Yes No N/A
6 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to customers, unless an exception to the annual privacy notice requirement applies? [§§ 1016.5(a)(1-2)]

(Note: annual notices are not required for former customers. [§§ 1016.5(b)(1)and (4)])
     
7 Does the credit union provide an annual privacy notice to each customer whose loan the credit union owns the right to service unless an exception to the annual privacy notice requirement applies? [§ 1016.4(c)(2)]      

Content of Privacy Notices

Content of Privacy Notices
Item Description Yes No N/A
8 Do the initial, annual, and revised privacy notices include each of the following, as applicable: N/A N/A N/A
8(a) The categories of nonpublic personal information that the credit union collects; [§ 1016.6(a)(1)]      
8(b) The categories of nonpublic personal information that the credit union discloses; [§ 1016.6(a)(2)]      
8(c) The categories of affiliates and nonaffiliated third parties to whom the credit union discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §§ 1016.14 or 1016.15; [§ 1016.6(a)(3)]      
8(d) The categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the credit union discloses that information, other than those parties to whom the credit union discloses information under an exception in §§ 1016.14 or 1016.15; [§ 1016.6(a)(4)]      
8(e) If the credit union discloses nonpublic personal information to a nonaffiliated third party under § 1016.13, and no exception under §§ 1016.14 or 1016.15 applies, a separate statement of the categories of information the credit union discloses and the categories of third parties with whom the credit union has contracted; [§ 1016.6(a)(5)]      
8(f) An explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§ 1016.6(a)(6)]      
8(g) Any disclosures that the credit union makes under FCRA section 603(d)(2)(A)(iii); [§ 1016.6(a)(7)]      
8(h) The credit union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§ 1016.6(a)(8)] and      
8(i) A general statement that the credit union makes disclosures to other nonaffiliated third parties for everyday business purposes, such as (with the credit union including all purposes that are applicable) to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus, or as permitted by law? [§ 1016.6(b)]

(Note: Financial Institutions that provide a model privacy form in accordance with the instructions in the Appendix of the regulation will receive a safe harbor for compliance with the content requirements of the regulation.)
     
9 Does the credit union list the following categories of nonpublic personal information that it collects, as applicable: N/A N/A N/A
9(a) Information from the consumer;
[§ 1016.6(c)(1)(i)]
     
9(b) Information about the consumer’s transactions with the credit union or its affiliates;
[§ 1016.6(c)(1)(ii)]
     
9(c) Information about the consumer’s transactions with nonaffiliated third parties;
[§ 1016.6(c)(1)(iii)] and
     
9(d) Information from a consumer reporting agency? [§ 1016.6(c)(1)(iv)]      
10 Does the credit union list the following § 1016.6(c)(1) categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects: N/A N/A N/A
10(a) Information from the consumer;      
10(b) Information about the consumer’s transactions with the credit union or its affiliates;      
10(c) Information about the consumer’s transactions with nonaffiliated third parties; and      
10(d) Information from a consumer reporting agency? [§ 1016.6(c)(2)]

(Note: Examples are recommended under § 1016.6(c)(2)(i) although not under § 1016.6(c)(1).)
     
11 Does the credit union list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category: N/A N/A N/A
11(a) Financial service providers; [§ 1016.6(c)(3)(i)]      
11(b) Non-financial companies; [§ 1016.6(c)(3)(ii)] and      
11(c) Others? [§ 1016.6(c)(3)(iii)]      
12 Does the credit union make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under § 1016.13: N/A N/A N/A
12(a) As applicable, the same categories and examples of nonpublic personal information disclosed as described in §§ 1016.6(a)(2) and 1016.6(c)(2) (see questions 8b and 10); [§ 1016.6(c)(4)(i)] and      
12(b) That the third party is a service provider that performs marketing on the credit union’s behalf or on behalf of the credit union and another financial institution; [§ 1016.6(c)(4)(ii)(A)] or      
12(c) That the third party is a financial institution with which the credit union has a joint marketing agreement? [§ 1016.6(c)(4)(ii)(B)]      
13 If the credit union does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §§ 1016.14 and 1016.15, does the credit union provide a simplified privacy notice that contains at a minimum: N/A N/A N/A
13(a) A statement to this effect;      
13(b) The categories of nonpublic personal information it collects (same as § 1016.6(a)(1));      
13(c) The policies and practices the credit union uses to protect the confidentiality and security of nonpublic personal information (same as § 1016.6 (a)(8)); and      
13(d) A general statement that the credit union makes disclosures to other nonaffiliated third parties as permitted by law (same as §§ 1016.6(a)(9) and 1016.6(b))? [§ 1016.6(c)(5)]

(Note: Use of this type of simplified notice is optional; a credit union may always use a full notice.)
     
14 Does the credit union describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information: N/A N/A N/A
14(a) Who is authorized to have access to the information; [§ 1016.6(c)(6)(i)] and      
14(b) Whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the credit union’s policy? [§ 1016.6(c)(6)(ii)]

(Note: The credit union is not required to describe technical information about the safeguards used in this respect.)
     
15 If the credit union provides a short-form initial privacy notice with the opt-out notice, does the credit union do so only to consumers with whom the credit union does not have a customer relationship? [§ 1016.6(d)(1)]      
16 If the credit union provides a short-form initial privacy notice according to § 1016.6(d)(1), does the short-form initial notice: N/A N/A N/A
16(a) Conform to the definition of “clear and conspicuous”; [§ 1016.6(d)(2)(i)]      
16(b) State that the credit union’s full privacy notice is available upon request; [§ 1016.6(d)(2)(ii)] and      
16(c) Explain a reasonable means by which the consumer may obtain the notice? [§ 1016.6(d)(2)(iii)]

(Note: The credit union is not required to deliver the full privacy notice with the short-form initial notice. [§ 1016.6(d)(3)])
     
17 Does the credit union provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: N/A N/A N/A
17(a) A toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or      
17(b) Having copies available to provide immediately by hand-delivery for the consumer who conducts business in person at the credit union's office? [§ 1016.6(d)(4)(ii)]      
18 If the credit union, in its privacy policies and practices, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable: N/A N/A N/A
18(a) The categories of nonpublic personal information that the credit union reserves the right to disclose in the future, but does not currently disclose; [§ 1016.6(e)(1)] and      
18(b) The categories of affiliates or nonaffiliated third parties to whom the credit union reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§ 1016.6(e)(2)]      

Opt-Out Notice

Opt-Out Notice
Item Description Yes No N/A
19 If the credit union discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§ 1016.13, 1016.14, and 1016.15 do not apply, does the credit union provide the consumer with a clear and conspicuous opt-out notice that accurately explains the right to-opt out? [§ 1016.7(a)(1)]      
20 Does the opt-out notice state: N/A N/A N/A
20(a) The credit union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; [§ 1016.7(a)(1)(i)]      
20(b) The consumer has the right to opt-out of that disclosure; [§ 1016.7(a)(1)(ii)] and      
20(c) A reasonable means by which the consumer may opt-out? [§ 1016.7(a)(1)(iii)]      
21 Does the credit union provide the consumer with the following information about the right to opt-out: N/A N/A N/A
21(a) All of the categories of nonpublic personal information that the credit union discloses or reserves the right to disclose; [§ 1016.7(a)(2)(i)(A)]      
21(b) All the categories of nonaffiliated third parties to whom the information is disclosed; [§ 1016.7(a)(2)(i)(A)]      
21(c) The consumer has the right to opt-out of the disclosure of that information; [§ 1016.7(a)(2)(i)(A)] and      
21(d) The financial products or services that the consumer obtains to which the opt-out direction would apply? [§ 1016.7(a)(2)(i)(B)]      
22 Does the credit union provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means: N/A N/A N/A
22(a) Check-off boxes prominently displayed on the relevant forms with the opt-out notice; [§ 1016.7(a)(2)(ii)(A)]      
22(b) A reply form included with the opt-out notice; [§ 1016.7(a)(2)(ii)(B)]      
22(c) An electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the credit union’s web site, if the consumer agrees to the electronic delivery of information; [§ 1016.7(a)(2)(ii)(C)] or      
22(d) A toll-free telephone number? [§ 1016.7(a)(2)(ii)(D)]      

(Note: The credit union may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§ 1016.7(a)(2)(iv)])

Opt-Out Notice continued
Item Description Yes No N/A
23 If the credit union delivers the opt-out notice after the initial notice, does the credit union provide the initial notice once again with the opt-out notice? [§ 1016.7(c)]      
24 Does the credit union provide an opt-out notice, explaining how the credit union will treat opt-out directions by the joint consumers, to at least one party when consumers jointly obtain a financial product, other than a loan? [§ 1016.7(e)(1)]      
25 Does the credit union permit each of the joint consumers in a joint relationship to opt-out? [§ 1016.7(e)(2)]      
26 Does the opt-out notice to joint consumers state that either: N/A N/A N/A
26(a) The credit union will consider an opt-out by a joint consumer as applying to all associated joint consumers; [§ 1016.7(e)(2)(i)] or      
26(b) Each joint consumer is permitted to opt-out separately? [§ 1016.7(e)(2)(ii)]      
27 If each joint consumer may opt-out separately, does the credit union permit: N/A N/A N/A
27(a) One joint consumer to opt-out on behalf of all of the joint consumers; [§ 1016.7(e)(3)]      
27(b) The joint consumers to notify the credit union in a single response; [§ 1016.7(e)(5)(i)] and      
27(c) Each joint consumer to opt-out either for himself or herself, and/or for another joint consumer? [§ 1016.7(e)(5)(ii)]      
28 Does the credit union refrain from requiring all joint consumers to opt out before implementing any opt-out direction with respect to the joint account? [§ 1016.7(e)(4)]      
29 For loans, does the credit union provide an initial opt-out notice to a borrower or guarantor on a loan? [§ 1016.7(e)(6)(i)]

(Note: The annual opt-out notice may be provided to borrowers and guarantors jointly. [§ 1016.7(e)(60(ii)])
     
30 Does the credit union comply with a consumer’s direction to opt-out as soon as is reasonably practicable after receiving it? [§ 1016.7(g)]      
31 Does the credit union allow the consumer to opt-out at any time? [§ 1016.7(h)]      
32 Does the credit union continue to honor the consumer’s opt-out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? [§ 1016.7(i)(1)]      
33 When a customer relationship ends, does the credit union continue to apply the customer’s opt-out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? [§ 1016.7(i)(2)]      

Revised Notices

Revised Notices
Item Description Yes No N/A
34 Except as permitted by §§ 1016.13, 1016.14, and 1016.15, does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless: N/A N/A N/A
34(a) The credit union has provided the consumer with a clear and conspicuous revised notice that accurately describes the credit union's privacy policies and practices; [§ 1016.8(a)(1)]      
34(b) The credit union has provided the consumer with a new opt-out notice; [§ 1016.8(a)(2)]      
34(c) The credit union has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [§ 1016.8(a)(3)] and      
34(d) The consumer has not opted out? [§ 1016.8(a)(4)]      
35 Does the credit union deliver a revised privacy notice when it: N/A N/A N/A
35(a) Discloses a new category of nonpublic personal information to a nonaffiliated third party; [§ 1016.8(b)(1)(i)]      
35(b) Discloses nonpublic personal information to a new category of nonaffiliated third party; [§ 1016.8(b)(1)(ii)] or      
35(c)

Discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure? [§ 1016.8(b)(1)(iii)]

     

(Note: A revised notice is not required if the credit union adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [§ 1016.8(b)(2)])

Delivery Methods

Delivery Methods
Item Description Yes No N/A
36 Does the credit union deliver the privacy and opt-out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? [§ 1016.9(a)]      
37 Does the credit union use a reasonable means for delivering the notices, such as: N/A N/A N/A
37(a) Hand-delivery of a printed copy; [§ 1016.9(b)(1)(i)]      
37(b) Mailing a printed copy to the last known address of the consumer; [§ 1016.9(b)(1)(ii)]      
37(c) For the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the credit union’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§ 1016.9(b)(1)(iii)] or      
37(d) For isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the member to acknowledge receipt as a necessary step to obtaining the financial product or service? [§ 1016.9(b)(1)(iv)]

(Note: Insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a member who does not obtain products or services electronically. [§§ 1016.9(b)(2)(i-ii) and 1016.9(d)])
     
38 For annual notices only, if the credit union does not employ one of the methods described in question 37, does the credit union employ one of the following reasonable means of delivering the notice: N/A N/A N/A
38(a) For the member who uses the institution’s web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [§ 1016.9(c)(1)(i)] or      
38(b) For the member who has requested the credit union refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon the member’s request? [§ 1016.9(c)(1)(ii)]      
39 As of October 28, 2014, for annual notices only, if the credit union uses the alternative delivery method does it meet the following conditions: N/A N/A N/A
39(a) The credit union does not disclose the customer’s nonpublic personal information to nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15; [§ 1016.9(c)(2)(i)(A)]      
39(b) The credit union does not include on its privacy notice an opt out under FCRA section 603(d)(2)(A)(iii); [§ 1016.9(c)(2)(i)(B)]      
39(c) The credit union previously provided the customer the opt-out notices required by FCRA section 624 and Subpart C of Regulation V, if applicable, or the privacy notice is not the only notice provided to satisfy those requirements; [§ 1016.9(c)(2)(i)(C)]      
39(d) The information that the credit union is required to convey on its privacy notice pursuant to §§ 1016.6(a)(1-5), 1016.6(8), and 1016.6(9) has not changed since it provided the immediately previous privacy notice to the customer, other than to eliminate categories of information that it discloses or categories of third parties to which it discloses information; [§ 1016.9(c)(2)(i)(D)]      
39(e) The credit union uses the model privacy form for its privacy notice; [§ 1016.9(c)(2)(i)(E)]      
39(f) The credit union conveys in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure that it is required or expressly and specifically permitted to issue to the customer under any other provision of law that the privacy notice is available on its web site and will be mailed to the customer upon request by telephone, and the statement states that the privacy notice has not changed and includes a specific web address that takes the customer to the web site where the privacy notice is pasted and a telephone number for the customer to request that it be mailed; [§ 1016.9(c)(2)(ii)(A)]      
39(g) The credit union posts its privacy notice continuously and in a clear and conspicuous manner on a page on its web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the web site; [§ 1016.9(c)(2)(ii)(B)] and      
39(h) The credit union mails its current privacy notice to those customers who request it by telephone within ten calendar days of the request? [§ 1016.9(c)(2)(ii)(C)]      
40 As of December 4, 2015, for annual privacy notices only, if the credit union does not provide an annual privacy notice (or provides one, but not using a compliant delivery method), does the credit union meet both of the following criteria: N/A N/A N/A
40(a) The credit union solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to § 1016.13) or 502(e) (corresponding to §§ 1016.14 and .15) or regulations prescribed under GLBA section 504(b); and      
40(b) The credit union has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with GLBA section 503?      
41 For customers only, does the credit union ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§ 1016.9(e)(1)]      
42 Does the credit union use an appropriate means to ensure that notices may be retained or obtained later, such as: N/A N/A N/A
42(a) Hand-delivery of a printed copy of the notice; [§ 1016.9(e)(2)(i)]      
42(b) Mailing a printed copy to the last known address of the customer upon request of the customer; [§ 1016.9(e)(2)(ii)] or      
42(c) Making the current privacy notice available on the credit union’s website (or via a link to the notice at another site) for the customer who agrees to receive the notice at the website? [§ 1016.99(e)(2)(iii)]      
43 Does the credit union provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§ 1016.9(i)]      

SUBPART B

Limits on Disclosure to Nonaffiliated Third Parties

Limits on Disclosure to Nonaffiliated Third Parties
Item Description Yes No N/A
44 Does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§ 1016.13, 1016.14, and 1016.15, unless: N/A N/A N/A
44(a) It has provided the consumer with an initial notice; [§ 1016.10(a)(1)(i)]      
44(b) It has provided the consumer with an opt-out notice; [§ 1016.10(a)(1)(ii)]      
44(c) It has given the consumer a reasonable opportunity to opt out before the disclosure; [§ 1016.10(a)(1)(iii)] and      
44(d) The consumer has not opted out?  [§ 1016.10(a)(1)(iv)]

(Note: This disclosure limitation applies to consumers as well as to customers [§ 1016.10(b)(1)], and to all nonpublic personal information regardless of whether the information was collected before or after receiving an opt out direction.  [§1016.10(b)(2)])
     
45 Does the credit union provide the consumer with a reasonable opportunity to opt out such as by: N/A N/A N/A
45(a) Mailing the notices required by § 1016.10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [§ 1016.10(a)(3)(i)]      
45(b) Where the consumer opens an on-line account with the institution and agrees to receive the notices required by § 1016.10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [§ 1016.10(a)(3)(ii)] or      
45(c) For isolated transactions, providing the notices required by section 10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction?  [§ 1016.10(a)(3)(iii)]      
46 Does the credit union allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§ 1016.10(c)]

(Note: A credit union may allow partial opt outs in addition to, but may not allow them instead of a comprehensive opt out.)
     

Limits on Redisclosure and Reuse of Information

Limits on Redisclosure and Reuse of Information
Item Description Yes No N/A
47 If the credit union receives information from a nonaffiliated financial institution under an exception in §§ 1016.14 or 1016.15, does the credit union refrain from using or disclosing the information except: N/A N/A N/A
47(a) To disclose the information to the affiliates of the financial institution from which it received the information; [§1016.11(a)(1)(i)]      
47(b) To disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§ 1016.11(a)(1)(ii)] and      
47(c) To disclose and use the information pursuant to an exception in §§ 1016.14 or 1016.15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§ 1016.11(a)(1)(iii)]

(Note: The disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an credit union receiving information for fraud-prevention purposes could provide the information to its auditors. But the phrase “in the ordinary course of business” does not include marketing. [§ 1016.11(a)(2)])
     
48 If the credit union receives information from a nonaffiliated financial institution other than under an exception in §§ 1016.14 or 1016.15, does the credit union refrain from disclosing the information except: N/A N/A N/A
48(a) To the affiliates of the financial institution from which it received the information; [§ 1016.11(b)(1)(i)]      
48(b) To its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient credit union; [§ 1016.11(b)(1)(ii)] and      
48(c) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the credit union received the information? [§ 1016.11(b)(1)(iii)]      

Limits on Sharing Account Number Information for Marketing Purposes

Limits on Sharing Account Number Information for Marketing Purposes
Item Description Yes No N/A
49 Does the credit union refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except: N/A N/A N/A
49(a) To the credit union’s agents or service providers solely to market the credit union’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [§ 1016.12(b)(1)] or      
49(b) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [§ 1016.12(b)(2)]

(Note: An “account number or similar form of access number or access code” does not include numbers in encrypted form, so long as the credit union does not provide the recipient with a means of decryption. [§ 1016.12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [§ 1016.12(c)(2)])
     

SUBPART C

Exception to Opt Out Requirements for Service Providers and Joint Marketing

Exception to Opt Out Requirements for Service Providers and Joint Marketing
Item Description Yes No N/A
50 If the credit union discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt-out requirements of §§ 1016.7 and 1016.10, and the revised notice requirements in § 1016.8, not apply because: N/A N/A N/A
50(a) The credit union disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the credit union (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in § 1016.13(b)); [§1016.13(a)(1)]      
50(b) The credit union has provided consumers with the initial notice; [§ 1016.13(a)(1)(i)] and      
50(c) The credit union has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §§ 1016.14 or 1016.15 in the ordinary course of business to carry out those purposes? [§ 1016.13(a)(1)(ii)]      

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions
Item Description Yes No N/A
51 If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2), opt out in §§ 1016.7 and 1016.10, revised notice in § 1016.8, and for service providers and joint marketing in § 1016.13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with: N/A N/A N/A
51(a) Servicing or processing a financial product or service requested or authorized by the consumer; [§ 1016.14(a)(1)]      
51(b) Maintaining or servicing the consumer's account with the credit union or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§ 1016.14(a)(2)]      
51(c) A proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§ 1016.14(a)(3)]      
52 If the credit union uses a § 1016.14 exception as necessary to effect, administer, or enforce a transaction, is the disclosure: N/A N/A N/A
52(a) Required, or is one of the lawful or appropriate methods, to enforce the rights of the credit union or other persons engaged in carrying out the transaction or providing the product or service; [§ 1016.14(b)(1)] or      
52(b) Required, or is a usual, appropriate, or acceptable method, to:[§ 1016.14(b)(2)]      
52(b)(i) Carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§ 1016.14(b)(2)(i)]      
52(b)(ii) Administer or service benefits or claims; [§ 1016.14(b)(2)(ii)]      
52(b)(iii) Confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; [§ 1016.14(b)(2)(iii)]      
52(b)(iv) Accrue or recognize incentives or bonuses; [§ 1014.14(b)(2)(iv)]      
52(b)(v) Underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§ 1016.14(b)(2)(v)] or      
52(b)(vi) In connection with: N/A N/A N/A
52(b)(vi)(1) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§ 1016.14(b)(2)(vi)(A)]      
52(b)(vi)(2) The transfer of receivables, accounts or interests therein; [§ 1016.14(b)(2)(vi)(B)] or      
52(b)(vi)(3) The audit of debit, credit, or other payment information? [§ 1016.14(b)(2)(vi)(C)]      

Other Exceptions to Notice and Opt Out Requirements

Other Exceptions to Notice and Opt Out Requirements
Item Description Yes No N/A
53 If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2), opt out in §§ 1016.7 and 1016.10, revised notice in § 1016.8, and for service providers and joint marketers in § 1016.13, not apply because the credit union makes the disclosure: N/A N/A N/A
53(a) With the consent or at the direction of the consumer; [§ 1016.15(a)(1)]      
53(b) To protect the confidentiality or security of records, [§ 1016.15(a)(2)(i)]; to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, [§ 1016.15(a)(2)(ii)]; for required credit union risk control or for resolving consumer disputes or inquiries, [§ 1016.15(a)(2)(iii)]; to persons holding a legal or beneficial interest relating to the consumer, [§ 1016.15(a)(2)(iv)]; or to persons acting in a fiduciary or representative capacity on behalf of the consumer; [§ 1016.15(a)(2)(v)]      
53(c) To insurance rate advisory organizations, guaranty funds or agencies, agencies rating the credit union, persons assessing compliance, and the credit union's attorneys, accountants, and auditors; [§ 1016.15(a)(3)]      
53(d) As specifically permitted or required by other provisions of law and in compliance with the Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety; [§ 1016.15(a)(4)]      
53(e) To a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; [§ 1016.15(a)(5)]      
53(f) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; [§ 1016.15(a)(6)]      
53(g) To comply with Federal, state, or local laws, rules, or legal requirements; [§ 1016.15(a)(7)(i)]      
53(h) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; [§ 1016.15(a)(7)(ii)] or      
53(i) To respond to judicial process or government regulatory authorities having jurisdiction over the credit union for examination, compliance, or other purposes as authorized by law? [§ 1016.15(a)(7)(iii)]

(Note: The regulation gives the following as an example of the exception described in section a of this question: “A consumer may specifically consent to [a credit union’s] disclosure to a nonaffiliated insurance company of the fact that the consumer has applied to [the credit union] for a mortgage so that the insurance company can offer homeowner’s insurance to the consumer.”)
     

 


Footnotes

[1] 15 U.S.C. §§6801-6809.

[2] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010).

[3] Dodd-Frank Act §§1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. §§5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority.

[4] 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. §5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

[5] 74 FR 62890.

[6] 79 FR 64057.

[7] Fixing America’s Surface Transportation Act of 2015, Pub. L. No. 114-94 (2015), 129 Stat. 1312 (2015).

[8] These reflect FFIEC-approved examination procedures.