Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Show

Privacy of Consumer Financial Information (Regulation P)

Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) [1] governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) [2] granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction. [3] In December 2011 the CFPB re-codified in Regulation P, 12 CFR Part 1016 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (FTC), the NCUA, the OCC, and the former OTS. [4]

On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information. [5] The final rule adopting the model privacy form was effective on December 31, 2009.

On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circumstances. [6] The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions.

As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act [7] (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.

There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice.

Under the authority of GLBA and the Fair Credit Reporting Act, NCUA issued the Guidelines for Safeguarding Member Information (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 12 CFR Part 748, Appendix A (Security Guidelines). The Security Guidelines require a credit union to establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of information. The Security Guidelines impose requirements separate from the privacy requirements of GLBA and Regulation P and address safeguarding the confidentiality and security of information and ensuring proper disposal of information. The Security Guidelines are directed toward preventing and responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that credit unions must contractually require their affiliated and nonaffiliated third-party service providers that have access to the credit union’s data containing personal information to protect that information. NCUA has also released the IT Security Compliance Guide, which is intended to help credit unions comply with the Security Guidelines.

You can find the full text of Regulation P here (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . You can find the sections of the GLBA relevant to consumer financial privacy here (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .


Associated Risks

Compliance Risk can occur when the credit union fails to implement the necessary controls to comply with Regulation P.

Reputation Risk can occur when members of the credit union learn of its failure to comply with Regulation P.

Examination Objectives

  • To assess the quality of the credit union’s compliance management policies, procedures, and internal controls for implementing the regulation, specifically ensuring consistency between what the credit union tells consumers in its notices about its policies and practices and what it actually does.
  • To determine the reliance that can be placed on the credit union’s policies, procedures, and internal controls for monitoring the credit union’s compliance with the regulation.
  • To determine the credit union’s compliance with the regulation, specifically in meeting the following requirements:
    • Providing members notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each member can reasonably be expected to receive actual notice;
    • Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving members notice and the right to opt out;
    • Appropriately honoring member opt out directions;
    • Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
    • Disclosing account numbers only according to the limits in the regulation.
  • To initiate effective corrective actions when violations of law are identified, or when policies, procedures, or internal controls are deficient.

Examination Procedures [8]

  1. Through discussions with management and review of available information, identify the credit union’s information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
    1. Notices (initial, annual, revised, opt-out, short-form, and simplified);
    2. Credit union privacy policies, procedures, and internal controls, including those to:
      • Process requests for nonpublic personal information, including requests for aggregated information;
      • Deliver notices to consumers;
      • Manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
      • Prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
      • Prevent the unlawful disclosure of account numbers;
    3. Information sharing agreements between the credit union and affiliates and service agreements or contracts between the credit union and nonaffiliated third parties either to obtain or provide information or services;
    4. Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under §1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) are met and whether the credit union is disclosing account number information in violation of §1016.12 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); 
    5. Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including information collected electronically through Internet cookies; or through ATM transactions);
    6. Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party;
    7. Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically;
    8. Records that reflect the credit union’s categorization of its information sharing practices under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , § 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , § 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and outside of these exceptions; and
    9. Results of a 501(b) (15 U.S.C. 6801(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) inspection (used to determine the accuracy of the credit union’s privacy disclosures regarding information security).
  2. Use the information gathered from step 1 to work through the “Privacy Notice and Opt-Out Decision Tree” below. Identify which module(s) of procedures is (are) applicable.
  3. Use the information gathered from step 1 to work through the Redisclosure and Reuse and Account Number Sharing Decision Trees below, as necessary. Identify which module is applicable.
  4. Determine the adequacy of the credit union’s policies, procedures, and internal controls to ensure compliance with the regulation as applicable. Consider the following:
    1. Sufficiency of internal policies, procedures, and internal controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
    2. Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
    3. Frequency and effectiveness of monitoring procedures;
    4. Adequacy and regularity of the credit union’s training program;
    5. Suitability of the compliance audit program for ensuring that:
      • The procedures address all regulatory provisions as applicable;
      • The work is accurate and comprehensive with respect to the credit union’s information sharing practices;
      • The frequency is appropriate;
      • conclusions are appropriately reached and presented to responsible parties; 
      • Steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
    6. Knowledge level of management and personnel.
  5. Ascertain areas of risk associated with the credit union’s sharing practices (especially those within §1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and those that fall outside of the exceptions) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.
  6. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the credit union’s compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to citations within the regulation. Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.
  7. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.
  8. Formulate conclusions.
    1. Summarize all findings.
    2. For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
    3. Identify action needed to correct violations and to address weaknesses in the credit union’s compliance system, as appropriate. 
    4. Discuss findings with management and obtain a commitment for corrective action.

PRIVACY NOTICE AND OPT OUT DECISION TREE

See alternative text below

Alternative Text

Does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or § 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and outside of the exceptions (with or without also sharing under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )?

If yes, then Module 1,

  • Privacy notice (presentation, content, and delivery) (with or without § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) notice & contracting)
  • Short form notice (optional for consumers)
  • Customer notice delivery rules
  • Opt out rules

Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and § 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or § 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) but not outside the exceptions?

If yes, then Module 2,

Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties only under § 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)  and /or § 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ?

If yes, then Module 3,

  • Privacy notice
  • Simplified notice (if applicable)
  • Customer notice delivery rules

REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION RECEIVED FROM NONAFFILIATED FINANCIAL INSTITUTIONS DECISION TREE (§§ 1016.11(a) and 1016.11(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

See alternative text below

Alternative Text

Does the credit union receive nonpublic personal information from nonaffiliated financial institutions? If no, then no review necessary.

If yes, how is that information received? 

If under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , then Module 4 receipt of information under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

If Outside of §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , Module 5 receipt of information outside of §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

ACCOUNT NUMBER SHARING DECISION TREE
(§ 1016.12 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

See alternative text below

Alternative Text

Does the credit union share account numbers or similar access numbers or codes with nonaffiliated third parties (other than a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing?

If no, then no review necessary. This may include sharing of encrypted account numbers but not the decryption key. 

If yes, then Module 6 Account number sharing.

Module 1 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and outside of the exceptions

(With or without also sharing under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

Note: Credit unions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these credit unions are held to the most comprehensive compliance standards imposed by the regulation.

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations. 
      1. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers (both members and those who are not members) in its notices about its policies and practices in this regard, and what the credit union actually does, are consistent (§§ 1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      2. Compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§ 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    2. If the credit union also shares information under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , obtain and review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  2. Presentation, Content, and Delivery of Privacy Notices
    1. Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
      1. Are clear and conspicuous (§§ 1016.3 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note: this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§ 1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note that if the credit union shares under nonpublic personal information under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) the notice provisions for that section shall also apply.
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.7(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. For members only, review the timeliness of delivery (§§ 1016.4(d) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), means of delivery of annual notice (§ 1016.9(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), and accessibility of or ability to retain the notice (§ 1016.9(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Opt-Out Right
    1. Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
      1. Are clear and conspicuous (§§ 1016.3(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.7(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately explain the right to opt-out (§ 1016.7(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      3. Include and adequately describe the three required items of information (the credit union’s policy regarding disclosure of nonpublic personal information, the consumer’s opt-out right, and the means to opt-out) (§ 1016.7(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      4. Describe how the credit union treats joint relationships, as applicable (§ 1016.7(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). 
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide the opt-out notice and comply with opt- out directions of consumers (members and those who are not members), as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.10(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      3. Reasonableness of the opportunity to opt-out (the time allowed to and the means by which the consumer may opt-out) (§§ 1016.10(a)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      4. Adequacy of procedures to implement and track the status of a consumer's (members and those who are not members) opt-out direction, including those of former members (§§ 1016.7(e)-(g) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  4. Checklist Cross References – Module 1
    Checklist Cross References – Module 1

    Regulation Section

    Subject

    Checklist Questions

    1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.6(a, b, c, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(a, b, g) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 41
    1016.4(a, c, d, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(c, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Customer notice delivery rules 1, 3-7, 37-39
    1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) § 1016.13 notice and contracting rules (as applicable) 12, 48
    1016.6(d) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Short form notice rules (optional for consumers only) 15-17
    1016.7 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.8 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Opt-out rules 19-34, 42-44
    1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Exceptions 49-51

Module 2 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) but not outside of these exceptions

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations. 
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      2. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers in its notices about its policies and practices in this regard and what the credit union actually does are consistent (§§ 1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
    2. Review contracts with nonaffiliated third parties that perform services for the credit union not covered by the exceptions in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed (§1016.13(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  2. Presentation, Content, and Delivery of Privacy Notices
    1. Review the credit union’s initial and annual privacy notices. Determine whether or not they:
      1. Are clear and conspicuous (§§ 1016.3(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the institution’s policies and practices (§§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information and contain examples as applicable (§§ 1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written consumer records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to consumers, as appropriate. Assess the following:
      1. Timeliness of delivery (§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      3. For members only, review the timeliness of delivery (§§ 1016.4(d) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.5(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), means of delivery of annual notice (§ 1016.9(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), and accessibility of or ability to retain the notice (§ 1016.9(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Checklist Cross References – Module 2
    Checklist Cross References – Module 2

    Regulation Section

    Subject

    Checklist Questions

    1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.6(a, b, c, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(a, b, i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Privacy notices (presentation, content, and delivery) 2, 8-11, 14, 18, 35, 36, 41
    1016.4(a, c, d, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9(c, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Customer notice delivery rules 1, 3-7, 37-39
    1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Exceptions to Opt-Out 12, 48
    1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Exceptions 49-51

Module 3 - Sharing nonpublic personal information with nonaffiliated third parties only under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

NOTE: This module applies only to members.

Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (corresponding to Regulation P §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA § 504(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

  1. Disclosure of Nonpublic Personal Information
    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
      1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.
  2. Presentation, Content, and Delivery of Privacy Notices
    1. Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) exceptions. Determine whether or not these notices:
      1. Are clear and conspicuous (§§ 1016.3(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );
      2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
      3. Include, and adequately describe, all required items of information (§ 1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
      4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation.
    2. Through discussions with management, review of the credit union’s policies, procedures, and internal controls and a sample of electronic or written member records where available, determine if the credit union has adequate policies, procedures, and internal controls in place to provide notices to members, as appropriate. Assess the following:
      1. Timeliness of delivery (§§ 1016.4(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(d) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.4(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and
      2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the member agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and accessibility of or ability to retain the notice (§ 1016.9(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Checklist Cross References – Module 3
    Checklist Cross References – Module 3

    Regulation Section

    Subject

    Checklist Questions

    1016.4 (a, d, e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.5 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.9 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Member notice delivery process 1, 3-7, 35-41
    1016.6 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Member notice content and presentation 8-11, 14, 18
    1016.6 (c)(5) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Simplified notice content (optional) 13
    1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Exceptions 49-51

Module 4 - Redisclosure and Reuse of nonpublic personal information received from a nonaffiliated financial institution under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and/or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

  1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure and reuse of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  2. Select a sample of information received from nonaffiliated financial institutions, to evaluate the credit union’s compliance with redisclosure and reuse limitations.
    1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(a)(1)(i) and (ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    2. Verify that the credit union only uses and shares the information pursuant to an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) 1016.11(a)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Checklist Cross References – Module 4
    Checklist Cross References – Module 4

    Regulation Section

    Subject

    Checklist Question

    1016.11(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Redisclosure and reuse 45
    1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Exceptions 49-51

Module 5 - Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)

  1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  2. Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the credit union’s compliance with redisclosure limitations.
    1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(b)(1)(i) and (ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    2. If the credit union shares information with entities other than those under step 1 above, verify that the credit union’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice (§ 1016.11(b)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
    3. Also, review the procedures used by the credit union to ensure that the information sharing reflects the opt-out status of the consumers of the nonaffiliated financial institution (§§ 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.11(b)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Checklist Cross References – Module 5
    Checklist Cross References – Module 5

    Regulation Section

    Subject

    Checklist Question

    1016.11(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Redisclosure 46

Module 6 - Account number sharing

  1. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the credit union’s members (§ 1016.12(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  2. Obtain and review a sample of contracts with agents or service providers to whom the credit union discloses account numbers for use in connection with marketing the credit union's own products or services. Determine whether the credit union shares account numbers with nonaffiliated third parties only to perform marketing for the credit union’s own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to the accounts (§ 1016.12(b)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  3. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the member when the member enters into the program (§ 1016.12(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ).
  4. Checklist Cross References – Module 6
    Checklist Cross References – Module 6

    Regulation Section

    Subject

    Checklist Question

    1016.12 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) Account number sharing 47

PRIVACY OF CONSUMER FINANCIAL INFORMATION
(REGULATION P)
CHECKLIST

SUBPART A

Initial Privacy Notice

Initial Privacy Notice
Item Description Yes No N/A
1 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section 4 of the regulation? (§ 1016.4(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: A credit union establishes a customer relationship when it enters into a continuing relationship with the consumer. (§ 1016.4(c)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) With respect to credit relationships, a credit union establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. (§1016.4(c)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) Customer relationships in credit unions may include nonmembers. (§ 1016.4(c)(3)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
2 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ? (§ 1016.4(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: No notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and there is no customer relationship. (§ 1016.4(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
3 Does the credit union provide to existing customers, who obtain a new financial product or service, a revised privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service?
1016.4(d)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
4 Does the credit union provide initial notice after establishing a customer relationship only if: N/A N/A N/A
4(a) The customer relationship is not established at the customer's election; (§ 1016.4(e)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
4(b) To do otherwise would substantially delay the customer’s transaction (e.g. in the case of a telephone application), and the customer agrees to the subsequent delivery? 
1016.4(e)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
5 When the subsequent delivery of a privacy notice is permitted, does the credit union provide notice after establishing a customer relationship within a reasonable time? (§ 1016.4(e) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Annual Privacy Notice

Annual Privacy Notice
Item Description Yes No N/A
6 Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to customers, unless an exception to the annual privacy notice requirement applies? (§§ 1016.5(a)(1)-(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: annual notices are not required for former customers. (§§ 1016.5(b)(1)and (4)) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
7 Does the credit union provide an annual privacy notice to each customer whose loan the credit union owns the right to service unless an exception to the annual privacy notice requirement applies? (§ 1016.5(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.12 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Content of Privacy Notices

Content of Privacy Notices
Item Description Yes No N/A
8 Do the initial, annual, and revised privacy notices include each of the following, as applicable: N/A N/A N/A
8(a) The categories of nonpublic personal information that the credit union collects; (§ 1016.6(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(b) The categories of nonpublic personal information that the credit union discloses; (§ 1016.6(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(c) The categories of affiliates and nonaffiliated third parties to whom the credit union discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; (§ 1016.6(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(d) The categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the credit union discloses that information, other than those parties to whom the credit union discloses information under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; (§ 1016.6(a)(4) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(e) If the credit union discloses nonpublic personal information to a nonaffiliated third party under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and no exception under §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) applies, a separate statement of the categories of information the credit union discloses and the categories of third parties with whom the credit union has contracted; (§ 1016.6(a)(5) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(f) An explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; (§ 1016.6(a)(6) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(g) Any disclosures that the credit union makes under FCRA § 603(d)(2)(A)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; (§ 1016.6(a)(7) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
8(h) The credit union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; (§ 1016.6(a)(8) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
8(i) A general statement that the credit union makes disclosures to other nonaffiliated third parties for everyday business purposes, such as (with the credit union including all purposes that are applicable) to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus, or as permitted by law? (§ 1016.6(a)(9), (b)(1) and (2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: Credit unions that provide a model privacy form in accordance with the instructions in the Appendix (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) of the regulation will receive a safe harbor for compliance with the content requirements of the regulation.)
     
9 Does the credit union list the following categories of nonpublic personal information that it collects, as applicable: N/A N/A N/A
9(a) Information from the consumer;
1016.6(c)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
9(b) Information about the consumer’s transactions with the credit union or its affiliates;
1016.6(c)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
9(c) Information about the consumer’s transactions with nonaffiliated third parties;
1016.6(c)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and
     
9(d) Information from a consumer reporting agency?
1016.6(c)(1)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )
     
10 Does the credit union list the following § 1016.6(c)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects: N/A N/A N/A
10(a) Information from the consumer;      
10(b) Information about the consumer’s transactions with the credit union or its affiliates;      
10(c) Information about the consumer’s transactions with nonaffiliated third parties; and      
10(d) Information from a consumer reporting agency?
1016.6(c)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: Examples are recommended under § 1016.6(c)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) although not under § 1016.6(c)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .)
     
11 Does the credit union list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category: N/A N/A N/A
11(a) Financial service providers; (§ 1016.6(c)(3)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
11(b) Non-financial companies; (§ 1016.6(c)(3)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
11(c) Others? (§ 1016.6(c)(3)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
12 Does the credit union make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) : N/A N/A N/A
12(a) As applicable, the same categories and examples of nonpublic personal information disclosed as described in §§ 1016.6(a)(2) and 1016.6(c)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) (see questions 8b and 10); (§ 1016.6(c)(4)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
12(b) That the third party is a service provider that performs marketing on the credit union’s behalf or on behalf of the credit union and another financial institution; (§ 1016.6(c)(4)(ii)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
12(c) That the third party is a financial institution with which the credit union has a joint marketing agreement? (§ 1016.6(c)(4)(ii)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
13 If the credit union does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , does the credit union provide a simplified privacy notice that contains at a minimum: N/A N/A N/A
13(a) A statement to this effect;      
13(b) The categories of nonpublic personal information it collects (same as § 1016.6(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) );      
13(c) The policies and practices the credit union uses to protect the confidentiality and security of nonpublic personal information (same as § 1016.6 (a)(8) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); and      
13(d) A general statement that the credit union makes disclosures to other nonaffiliated third parties as permitted by law (same as §§ 1016.6(a)(9) and 1016.6(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )? (§ 1016.6(c)(5) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: Use of this type of simplified notice is optional; a credit union may always use a full notice.)
     
14 Does the credit union describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information: N/A N/A N/A
14(a) Who is authorized to have access to the information; (§ 1016.6(c)(6)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
14(b) Whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the credit union’s policy? (§ 1016.6(c)(6)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: The credit union is not required to describe technical information about the safeguards used in this respect.)
     
15 If the credit union provides a short-form initial privacy notice with the opt-out notice, does the credit union do so only to consumers with whom the credit union does not have a customer relationship? (§ 1016.6(d)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
16 If the credit union provides a short-form initial privacy notice according to § 1016.6(d)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , does the short-form initial notice: N/A N/A N/A
16(a) Conform to the definition of “clear and conspicuous”; (§ 1016.6(d)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
16(b) State that the credit union’s full privacy notice is available upon request; (§ 1016.6(d)(2)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
16(c) Explain a reasonable means by which the consumer may obtain the notice? (§ )

(Note: The credit union is not required to deliver the full privacy notice with the short-form initial notice. (§ ))
     
17 Does the credit union provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: N/A N/A N/A
17(a) A toll-free telephone number that the consumer may call to request the notice; (§) or      
17(b) Having copies available to provide immediately by hand-delivery for the consumer who conducts business in person at the credit union's office? (§ )      
18 If the credit union, in its privacy policies and practices, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable: N/A N/A N/A
18(a) The categories of nonpublic personal information that the credit union reserves the right to disclose in the future, but does not currently disclose; (§ 1016.6(e)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
18(b) The categories of affiliates or nonaffiliated third parties to whom the credit union reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? (§ 1016.6(e)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Opt-Out Notice

Opt-Out Notice
Item Description Yes No N/A
19 If the credit union discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) do not apply, does the credit union provide the consumer with a clear and conspicuous opt-out notice that accurately explains the right to-opt out? (§ 1016.7(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
20 Does the opt-out notice state: N/A N/A N/A
20(a) The credit union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; (§ 1016.7(a)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
20(b) The consumer has the right to opt-out of that disclosure; (§ 1016.7(a)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
20(c) A reasonable means by which the consumer may opt-out? (§ 1016.7(a)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
21 Does the credit union provide the consumer with the following information about the right to opt-out: N/A N/A N/A
21(a) All of the categories of nonpublic personal information that the credit union discloses or reserves the right to disclose; (§ 1016.7(a)(2)(i)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
21(b) All the categories of nonaffiliated third parties to whom the information is disclosed; (§ 1016.7(a)(2)(i)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
21(c) The consumer has the right to opt-out of the disclosure of that information; (§ 1016.7(a)(2)(i)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
21(d) The financial products or services that the consumer obtains to which the opt-out direction would apply? (§ 1016.7(a)(2)(i)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
22 Does the credit union provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means: N/A N/A N/A
22(a) Check-off boxes prominently displayed on the relevant forms with the opt-out notice; (§ 1016.7(a)(2)(ii)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
22(b) A reply form included with the opt-out notice; (§ 1016.7(a)(2)(ii)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
22(c) An electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the credit union’s web site, if the consumer agrees to the electronic delivery of information; (§ 1016.7(a)(2)(ii)(C) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
22(d) A toll-free telephone number? (§ 1016.7(a)(2)(ii)(D))      

(Note: The credit union may require the consumer to use one specific means, as long as that means is reasonable for that consumer. (§ 1016.7(a)(2)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))

Opt-Out Notice continued
Item Description Yes No N/A
23 If the credit union delivers the opt-out notice after the initial notice, does the credit union provide the initial notice once again with the opt-out notice? (§ 1016.7(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
24 Does the credit union provide an opt-out notice, explaining how the credit union will treat opt-out directions by the joint consumers, to at least one party in a joint consumer relationship? (§ 1016.7(d)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
25 Does the credit union permit each of the joint consumers in a joint relationship to opt-out? (§ 1016.7(d)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
26 Does the opt-out notice to joint consumers state that either: N/A N/A N/A
26(a) The credit union will consider an opt-out by a joint consumer as applying to all associated joint consumers; (§ 1016.7(d)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
26(b) Each joint consumer is permitted to opt-out separately? (§ 1016.7(d)(2)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
27 If each joint consumer may opt-out separately, does the credit union permit: N/A N/A N/A
27(a) One joint consumer to opt-out on behalf of all of the joint consumers; (§ 1016.7(d)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
27(b) The joint consumers to notify the credit union in a single response; (§ 1016.7(d)(5)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
27(c) Each joint consumer to opt-out either for himself or herself, and/or for another joint consumer? (§ 1016.7(d)(5)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
28 Does the credit union refrain from requiring all joint consumers to opt out before implementing any opt-out direction with respect to the joint account? (§ 1016.7(d)(4) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
29 Does the credit union comply with a consumer’s direction to opt-out as soon as is reasonably practicable after receiving it? (§ 1016.7(g) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
30 Does the credit union allow the consumer to opt-out at any time? (§ 1016.7(h) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
31 Does the credit union continue to honor the consumer’s opt-out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? (§ 1016.7(i)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
32 When a customer relationship ends, does the credit union continue to apply the customer’s opt-out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? (§ 1016.7(i)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Revised Notices

Revised Notices
Item Description Yes No N/A
33 Except as permitted by §§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless: N/A N/A N/A
33(a) The credit union has provided the consumer with a clear and conspicuous revised notice that accurately describes the credit union's privacy policies and practices; (§ 1016.8(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
33(b) The credit union has provided the consumer with a new opt-out notice; (§ 1016.8(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
33(c) The credit union has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; (§ 1016.8(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
33(d) The consumer has not opted out? (§ 1016.8(a)(4) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
34 Does the credit union deliver a revised privacy notice when it: N/A N/A N/A
34(a) Discloses a new category of nonpublic personal information to a nonaffiliated third party; (§ 1016.8(b)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
34(b) Discloses nonpublic personal information to a new category of nonaffiliated third party; (§ 1016.8(b)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
34(c) Discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure? (§ 1016.8(b)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

(Note: A revised notice is not required if the credit union adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. (§ 1016.8(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))

Delivery Methods

Delivery Methods
Item Description Yes No N/A
35 Does the credit union deliver the privacy and opt-out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? (§ 1016.9(a) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
36 Does the credit union use a reasonable means for delivering the notices, such as: N/A N/A N/A
36(a) Hand-delivery of a printed copy; (§ 1016.9(b)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
36(b) Mailing a printed copy to the last known address of the consumer; (§ 1016.9(b)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
36(c) For the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the credit union’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; (§ 1016.9(b)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
36(d) For isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the member to acknowledge receipt as a necessary step to obtaining the financial product or service? (§ 1016.9(b)(1)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: Insufficient or unreasonable means of delivery include: exclusively oral notice; in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a member who does not obtain products or services electronically. (§§ 1016.9(b)(2)(i)-(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.9(d) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))
     
37 For annual notices only, if the credit union does not employ one of the methods described in question 36, does the credit union employ one of the following reasonable means of delivering the notice: N/A N/A N/A
37(a) For the member who uses the institution’s web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; (§ 1016.9(c)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
37(b) For the member who has requested the credit union refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon the member’s request? (§ 1016.9(c)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38 As of October 28, 2014, for annual notices only, if the credit union uses the alternative delivery method does it meet the following conditions: N/A N/A N/A
38(a) The credit union does not disclose the customer’s nonpublic personal information to nonaffiliated third parties other than for purposes under §§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; (§ 1016.9(c)(2)(i)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(b) The credit union does not include on its privacy notice an opt out under FCRA section 603(d)(2)(A)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ; (§ 1016.9(c)(2)(i)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(c) The credit union previously provided the customer the opt-out notices required by FCRA section 624 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 12 CFR 1022, Subpart C (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , if applicable, or the privacy notice is not the only notice provided to satisfy those requirements; (§ 1016.9(c)(2)(i)(C) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(d) The information that the credit union is required to convey on its privacy notice pursuant to §§ 1016.6(a)(1)-(5) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.6(8) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.6(9) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) has not changed since it provided the immediately previous privacy notice to the customer, other than to eliminate categories of information that it discloses or categories of third parties to which it discloses information; (§ 1016.9(c)(2)(i)(D) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(e) The credit union uses the model privacy form for its privacy notice; (§ 1016.9(c)(2)(i)(E) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(f) The credit union conveys in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure that it is required or expressly and specifically permitted to issue to the customer under any other provision of law that the privacy notice is available on its web site and will be mailed to the customer upon request by telephone, and the statement states that the privacy notice has not changed and includes a specific web address that takes the customer to the web site where the privacy notice is pasted and a telephone number for the customer to request that it be mailed; (§ 1016.9(c)(2)(ii)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
38(g) The credit union posts its privacy notice continuously and in a clear and conspicuous manner on a page on its web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the web site; (§ 1016.9(c)(2)(ii)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
38(h) The credit union mails its current privacy notice to those customers who request it by telephone within ten calendar days of the request? (§ 1016.9(c)(2)(ii)(C) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
39 As of December 4, 2015, for annual privacy notices only, if the credit union does not provide an annual privacy notice (or provides one, but not using a compliant delivery method), does the credit union meet both of the following criteria: N/A N/A N/A
39(a) The credit union solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or 502(e) (corresponding to §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or regulations prescribed under GLBA section 504(b); and      
39(b) The credit union has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with GLBA section 503?      
40 For customers only, does the credit union ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? (§ 1016.9(e)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
41 Does the credit union use an appropriate means to ensure that notices may be retained or obtained later, such as: N/A N/A N/A
41(a) Hand-delivery of a printed copy of the notice; (§ 1016.9(e)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
41(b) Mailing a printed copy to the last known address of the customer upon request of the customer; (§ 1016.9(e)(2)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
41(c) Making the current privacy notice available on the credit union’s website (or via a link to the notice at another site) for the customer who agrees to receive the notice at the website? (§ 1016.9(e)(2)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
42 Does the credit union provide at least one initial, annual, and revised notice, as applicable, to joint consumers? (§ 1016.9(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

SUBPART B

Limits on Disclosure to Nonaffiliated Third Parties

Limits on Disclosure to Nonaffiliated Third Parties
Item Description Yes No N/A
43 Does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§ 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , unless: N/A N/A N/A
43(a) It has provided the consumer with an initial notice; (§ 1016.10(a)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
43(b) It has provided the consumer with an opt-out notice; (§ 1016.10(a)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
43(c) It has given the consumer a reasonable opportunity to opt out before the disclosure; (§ 1016.10(a)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
43(d) The consumer has not opted out? (§ 1016.10(a)(1)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: This disclosure limitation applies to consumers as well as to customers (§ 1016.10(b)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ), and to all nonpublic personal information regardless of whether the information was collected before or after receiving an opt out direction. (§1016.10(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))
     
44 Does the credit union provide the consumer with a reasonable opportunity to opt out such as by: N/A N/A N/A
44(a) Mailing the notices required by § 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; (§ 1016.10(a)(3)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
44(b) Where the consumer opens an on-line account with the institution and agrees to receive the notices required by § 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; (§ 1016.10(a)(3)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
44(c) For isolated transactions, providing the notices required by section 10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? (§ 1016.10(a)(3)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
45 Does the credit union allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? (§ 1016.10(c) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Limits on Redisclosure and Reuse of Information

Limits on Redisclosure and Reuse of Information
Item Description Yes No N/A
46 If the credit union receives information from a nonaffiliated financial institution under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , does the credit union refrain from using or disclosing the information except: N/A N/A N/A
46(a) To disclose the information to the affiliates of the financial institution from which it received the information; (§1016.11(a)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
46(b) To disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; (§ 1016.11(a)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
46(c) To disclose and use the information pursuant to an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) in the ordinary course of business to carry out the activity covered by the exception under which the information was received? (§ 1016.11(a)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: The disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an credit union receiving information for fraud-prevention purposes could provide the information to its auditors. But the phrase “in the ordinary course of business” does not include marketing. (§ 1016.11(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))
     
47 If the credit union receives information from a nonaffiliated financial institution other than under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , does the credit union refrain from disclosing the information except: N/A N/A N/A
47(a) To the affiliates of the financial institution from which it received the information; (§ 1016.11(b)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
47(b) To its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient credit union; (§ 1016.11(b)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
47(c) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the credit union received the information? (§ 1016.11(b)(1)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Limits on Sharing Account Number Information for Marketing Purposes

Limits on Sharing Account Number Information for Marketing Purposes
Item Description Yes No N/A
48 Does the credit union refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except: N/A N/A N/A
48(a) To the credit union’s agents or service providers solely to market the credit union’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; (§ 1016.12(b)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
48(b) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? (§ 1016.12(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )

(Note: An “account number or similar form of access number or access code” does not include numbers in encrypted form, so long as the credit union does not provide the recipient with a means of decryption. (§ 1016.12(c)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) A transaction account does not include an account to which third parties cannot initiate charges. (§ 1016.12(c)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ))
     

SUBPART C

Exception to Opt Out Requirements for Service Providers and Joint Marketing

Exception to Opt Out Requirements for Service Providers and Joint Marketing
Item Description Yes No N/A
49 If the credit union discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt-out requirements of §§ 1016.7 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and the revised notice requirements in § 1016.8 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , not apply because: N/A N/A N/A
49(a) The credit union disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the credit union (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in § 1016.13(b) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); (§1016.13(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
49(b) The credit union has provided consumers with the initial notice; (§ 1016.13(a)(1)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) and      
49(c) The credit union has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §§ 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) or 1016.15 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) in the ordinary course of business to carry out those purposes? (§ 1016.13(a)(1)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions
Item Description Yes No N/A
50 If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , opt out in §§ 1016.7 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , revised notice in § 1016.8 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and for service providers and joint marketing in § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with: N/A N/A N/A
50(a) Servicing or processing a financial product or service requested or authorized by the consumer; (§ 1016.14(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
50(b) Maintaining or servicing the consumer's account with the credit union or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or (§ 1016.14(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
50(c) A proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? (§ 1016.14(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51 If the credit union uses a § 1016.14 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) exception as necessary to effect, administer, or enforce a transaction, is the disclosure: N/A N/A N/A
51(a) Required, or is one of the lawful or appropriate methods, to enforce the rights of the credit union or other persons engaged in carrying out the transaction or providing the product or service; (§ 1016.14(b)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
51(b) Required, or is a usual, appropriate, or acceptable method, to: (§ 1016.14(b)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(i) Carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; (§ 1016.14(b)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(ii) Administer or service benefits or claims; (§ 1016.14(b)(2)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(iii) Confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; (§ 1016.14(b)(2)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(iv) Accrue or recognize incentives or bonuses; (§ 1014.14(b)(2)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(v) Underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; (§ 1016.14(b)(2)(v) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
51(b)(vi) In connection with: N/A N/A N/A
51(b)(vi)(1) The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; (§ 1016.14(b)(2)(vi)(A) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
51(b)(vi)(2) The transfer of receivables, accounts or interests therein; (§ 1016.14(b)(2)(vi)(B) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
51(b)(vi)(3) The audit of debit, credit, or other payment information? (§ 1016.14(b)(2)(vi)(C) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

Other Exceptions to Notice and Opt Out Requirements

Other Exceptions to Notice and Opt Out Requirements
Item Description Yes No N/A
52 If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , opt out in §§ 1016.7 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) and 1016.10 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , revised notice in § 1016.8 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , and for service providers and joint marketers in § 1016.13 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) , not apply because the credit union makes the disclosure: N/A N/A N/A
52(a) With the consent or at the direction of the consumer; (§ 1016.15(a)(1) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(b) To protect the confidentiality or security of records, (§ 1016.15(a)(2)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, (§ 1016.15(a)(2)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); for required credit union risk control or for resolving consumer disputes or inquiries, (§ 1016.15(a)(2)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); to persons holding a legal or beneficial interest relating to the consumer, (§ 1016.15(a)(2)(iv) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ); or to persons acting in a fiduciary or representative capacity on behalf of the consumer; (§ 1016.15(a)(2)(v) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(c) To insurance rate advisory organizations, guaranty funds or agencies, agencies rating the credit union, persons assessing compliance, and the credit union's attorneys, accountants, and auditors; (§ 1016.15(a)(3) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(d) As specifically permitted or required by other provisions of law and in compliance with the Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety; (§ 1016.15(a)(4) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(e) To a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; (§ 1016.15(a)(5) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(f) In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; (§ 1016.15(a)(6) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(g) To comply with Federal, state, or local laws, rules, or legal requirements; (§ 1016.15(a)(7)(i) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      
52(h) To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; (§ 1016.15(a)(7)(ii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) ) or      
52(i) To respond to judicial process or government regulatory authorities having jurisdiction over the credit union for examination, compliance, or other purposes as authorized by law? (§ 1016.15(a)(7)(iii) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) )      

 


Footnotes

[1] 15 U.S.C. §§6801-6809 (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) . Full text of GLBA, including sections not related to consumer financial privacy, is here (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).) .

[2] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010).

[3] Dodd-Frank Act §§1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. §§5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority.

[4] 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. §5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

[5] 74 FR 62890.

[6] 79 FR 64057.

[7] Fixing America’s Surface Transportation Act of 2015, Pub. L. No. 114-94 (2015), 129 Stat. 1312 (2015).

[8] These reflect FFIEC-approved examination procedures.

Footnotes

Last modified on