AGENCY:

National Credit Union Administration (NCUA).

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The NCUA Board is proposing a new privacy rule applicable to all federally-insured credit unions, as required by the recently enacted Gramm-Leach-Bliley Act (the GLB Act or Act). The proposed rule requires credit unions to have a privacy policy and provide certain disclosures and notices to individuals about whom credit unions collect nonpublic personal information. It also restricts a credit union's ability to disclose nonpublic personal information, including giving individuals in some cases an opportunity to opt out of the disclosure. In drafting the proposed rule, the NCUA participated as part of an interagency group composed of representatives from the NCUA, the Federal Trade Commission, the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of Thrift Supervision, Secretary of the Treasury, and Securities and Exchange Commission (collectively, the Agencies). The other Agencies are also required to issue regulations to implement the GLB Act. NCUA's proposed rule takes into account the unique circumstances of federally-insured credit unions and their members but is comparable and consistent with the regulations of the other Agencies as required by the GLB Act.

DATES:

NCUA must receive comments by March 31, 2000.

ADDRESSES:

Direct comments to: Becky Baker, Secretary of the Board. Mail or hand-deliver comments to: National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428, or you may fax comments to (703) 518-6319. Please send comments by one method only.

FOR FURTHER INFORMATION CONTACT:

Mary F. Rupp or Regina M. Metz, Staff Attorneys, Division of Operations, Office of General Counsel, at the above address or telephone: (703) 518-6540.

SUPPLEMENTARY INFORMATION:

I. Background

On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of Title V of the GLB Act, captioned Disclosure of Nonpublic Personal Information, limits the instances when a financial institution may disclose nonpublic personal information of a consumer to nonaffiliated third parties. It requires a financial institution to disclose to all its customers the institution's privacy policies and practices with respect to information sharing with affiliates and nonaffiliated third parties.

As required by the GLB Act, the NCUA has consulted with the other Agencies to ensure that its proposed rule is consistent and comparable with the proposed rules of the other Agencies. However, the NCUA's proposed rule takes into account the unique nature of credit union structure and operations, particularly, the relationship between a credit union and its members, credit union investment in credit union service organizations (CUSOs), and, generally, the significant difference between credit union and CUSO activities as compared with other financial institutions and their subsidiaries or affiliates.

A credit union is a not-for-profit, cooperative financial institution, formed to permit those in the field of membership specified in the credit union's charter to save, borrow, and obtain related financial services. Member ownership and control make credit unions unique from other financial institutions. Federal credit union investment in affiliates is limited to CUSOs, which are organizations that primarily serve credit unions or their members and whose business is related to the daily and routine operations of credit unions. 12 U.S.C. 1757(5)(D), 1757(7)(I). This is also generally true for state-chartered credit unions.

A key focus of the GLB Act is protecting the privacy of consumers and the customers of financial institutions while permitting financial institutions to make disclosures to their affiliates. In the credit union context, this means that the provisions of the Act and the requirements of NCUA's proposed regulation will apply primarily to a credit union's members and ordinarily permit sharing of information with CUSOs. Nevertheless, the Act and the proposed regulations impose requirements on credit unions with respect to nonmembers who are deemed to be consumers or customers receiving a financial product or service from the credit union. Thus, credit unions must understand when individuals qualify as a consumer or customer and what responsibilities the credit union has to them. While the GLB Act uses the term customer to describe a category of individuals to whom certain obligations are owed, the term customer should not be equated with the term member. Members in a credit union, as noted above, are its owners with a relationship to their credit union that is inherently different than that of customers to a financial institution. In addition, whether a CUSO will qualify as an affiliate to which a credit union may make disclosures will depend on the extent to which a credit union exercises control over the CUSO.

NCUA's proposed rule mirrors the other Agencies' proposed rules except for modifications appropriate to address the different circumstances of credit unions such as references to credit unions, CUSOs, members, nonmember customers, and other nonmembers. NCUA has also incorporated much of the preamble discussion from the Agencies' joint notice of proposed rulemaking in this preamble. The section-by-section analysis of the rule that follows points out those provisions that differ from the other Agencies' proposed rules. Besides differences in terms or definitions, a significant modification is in the use of examples in the rule. All the Agencies' proposed rules contain examples to aid understanding. NCUA has attempted to use examples pertinent to credit union circumstances and, therefore, has changed or deleted some examples used in the other Agencies' proposals.

The NCUA requests comment on all aspects of the proposed rule as well as comment on the specific provisions and issues highlighted in the section-by-section summary below. The NCUA Start Printed Page 10989specifically requests comment on the examples in the proposed rule and on any additional examples that would be helpful.

NCUA and the other Agencies are developing examination standards and guidelines. A credit union's compliance with this rule will be reviewed as part of the regular examination process.

NCUA and the other Agencies have coordinated their comment periods to end on March 31, 2000. Although, NCUA's Interpretive Ruling and Policy Statement 87-2 states that the public should be given at least 60 days to comment on a proposed rule, this abbreviated comment period is necessary because of the statutory requirement that the final rule be issued by May 12, 2000.

II. Section-by-Section Analysis

Section 716.1 Purpose and Scope

Proposed paragraph (a) of this section identifies three purposes of the rule. First, the rule requires a credit union to provide notice to consumers, defined in § 716.3(e), about the credit union's privacy policies and practices. Second, the rule describes the conditions under which a credit union may disclose nonpublic personal information about a consumer to a nonaffiliated third party. Third, the rule provides a method for a consumer to “opt out” of the disclosure of that information to nonaffiliated third parties, subject to the exceptions in §§ 716.9, 716.10, and 716.11, discussed below.

Proposed paragraph (b) sets out the scope of the NCUA rule, stating that it applies to all federally-insured credit unions. Section 505(a)(2) of the GLB Act provides that the NCUA Board has enforcement authority for federally-insured credit unions and any subsidiaries. The NCUA notes that, while CUSOs may be considered “subsidiaries,” the Federal Credit Union Act does not give the NCUA direct regulatory or supervisory authority over CUSOs. Therefore, CUSOs, depending on the type of businesses in which they engage, may be subject to the GLB Act and the regulations of the agency having jurisdiction over that business activity. For example, a CUSO engaged in securities brokerage activities would be subject to the Securities and Exchange Commission privacy regulation.

The NCUA Board specifically requests comment on whether it would be appropriate to exempt federally-insured corporate credit unions from the regulation. The membership of corporate credit unions is natural person credit unions; they are operated primarily to serve other credit unions and limit natural person members to the minimum required by state or federal law to charter and operate the credit union. 12 CFR 704.2. Corporate credit unions function as a “credit union's credit union” and provide a source of liquidity and investment for natural person credit unions as well as acting as clearing houses for financial transactions. The Board is particularly interested in comments that illustrate whether and to what extent corporate credit unions actually collect nonpublic personal information about consumers or customers within the meaning of the GLB Act and this regulation.

This paragraph also notes that the rule applies only to information about individuals who obtain a financial product or service from a credit union for personal, family, or household purposes.

Section 716.2 Rule of Construction

Proposed § 716.2 of the rule sets out a rule of construction intended to clarify the effect of the examples used in the rule. Given the wide variety of transactions that Title V of the GLB Act covers, the NCUA proposes to adopt a rule of general applicability and then provide examples of conduct that would comply with the rule as well as examples of conduct that would not. While the NCUA's general rule is consistent with the other Agencies' proposals, NCUA's examples differ on occasion from those used by the other Agencies in order to provide guidance that is more applicable to credit unions.

The examples are provided to fulfill NCUA's goal of understandable regulations. These examples are not intended to be exhaustive; rather, they are intended to provide guidance about how the rule would apply in specific situations.

Section 716.3 Definitions

(a) Affiliate. The proposed rule adopts the definition of “affiliate” used in section 509(6) of the GLB Act. An affiliation will be found when one company controls, is controlled by, or is under common control with another company. Control is defined in § 716.3(g). The definition of affiliate applies to financial institutions and entities that are not financial institutions.

NCUA's proposed rule includes examples of entities that will be affiliates for credit unions. For a federal credit union, the only entity that can be an affiliate is a CUSO, as addressed in 12 CFR part 712, that is controlled by the federal credit union. For a state-chartered credit union, an affiliate will be a company that the credit union controls.

(b) Clear and conspicuous. Title V of the GLB Act and the proposed rule require that various notices be “clear and conspicuous.” The proposed rule defines this term to mean that the notice is reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice.

The proposed rule does not mandate the use of any particular technique for making the notices clear and conspicuous, but instead allows each credit union the flexibility to decide for itself how best to comply with this requirement. Ways in which a notice may satisfy the clear and conspicuous standard would include, for instance, using a plain-language caption, in a type set easily seen, that is designed to call attention to the information contained in the notice. Other plain language principles are provided in the examples that follow the general rule.

(c) Collect. The proposed rule defines “collect” to mean obtaining any information that is organized or retrievable on a personally identifiable basis, irrespective of the source of the underlying information. Several sections of the proposed rule, for example, §§ 716.6 and 716.7, impose obligations when a credit union collects information about a consumer. This proposed definition clarifies that these obligations arise when the information enables the user to identify a particular consumer. It also clarifies that the obligations arise regardless of whether a credit union obtains the information from a consumer or some other source.

(d) Company. The proposed rule defines “company,” which is used in the definition of “affiliate,” as any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

(e) Consumer. The proposed rule defines “consumer” to mean an individual who obtains, from a credit union, financial products or services that are to be used primarily for personal, family, or household purposes. An individual also will be deemed to be a consumer for purposes of a credit union if that credit union purchases the individual's account from some other institution. The definition also includes the legal representative of an individual.

The GLB Act distinguishes “consumers” from “customers” for purposes of the notice requirements imposed by the Act. As explained more fully in the discussion of proposed § 716.4 which covers initial notices, a Start Printed Page 10990credit union must give a “consumer” an initial notice only if it intends to disclose nonpublic personal information about the consumer to a nonaffiliated third party for a purpose that is not authorized by one of several exceptions in the Act. By contrast, a credit union must give all “customers,” at the time of establishing a customer relationship and annually thereafter during the continuation of the customer relationship, a notice of the institution's privacy policy.

A person is a “consumer” under the proposed rule if he or she obtains a financial product or service from a credit union. A credit union that intends to share nonpublic personal information about a consumer with nonaffiliated third parties outside of the exceptions described in §§ 716.10 and 716.11 will have to give the requisite notices, even if the consumer does not enter into a customer relationship with the institution.

The examples that follow the definition of “consumer” clarify when someone is a consumer. The examples for credit unions deviate from the examples for the other Agencies and use the terms member and nonmember where applicable. The other Agencies' examples include situations where someone: Applies for a loan or provides information for the purpose of determining whether he or she prequalifies for a loan; provides information in connection with seeking to obtain financial advisory services; and negotiates a workout of a loan. These examples do not apply to credit unions, because someone in the above situations will necessarily be a member of a credit union, and therefore, also a customer. The examples also clarify the status of someone whose loan has been sold.

(f) Consumer reporting agency. The proposed rule adopts the definition of “consumer reporting agency” that is used in section 603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term is used in proposed §§ 716.11 and 716.13 which deal with exceptions to notice and opt out and limitations on sharing.

(g) Control. The proposed rule defines “control” using the tests applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). This definition is used to determine when companies are affiliated (see discussion of proposed § 716.2(a), above), and would result in a financial institution and a company being considered as affiliates regardless of whether the control is by a company or individual.

The proposed definition mirrors the definition of the other Agencies. NCUA is interested in receiving comment on whether this definition should be amended to reflect the particular relationship between a credit union and a CUSO. Historically, a federal credit union that invested in or made a loan to a CUSO was defined as an affiliated credit union of the CUSO. 51 FR 10353, 10360 (March 26, 1986); former 12 CFR 701.27(c)(1). The Board is particularly interested in receiving comment on whether a CUSO that is 100% owned by credit unions should be considered an affiliate of all of the investing credit unions, regardless of whether any one credit union owns 25%.

(h) Credit union. NCUA has defined credit union as a federally-insured credit union.

(i) Customer. The proposed rule defines “customer” as any consumer who has a customer relationship with a particular credit union. This definition parallels the one used for the term “customer” in the other Agencies” proposed rules. A customer relationship, which is separately defined, basically means that there is an ongoing relationship between the credit union and a consumer. For credit unions, it is obvious that their members will fall under the meaning of customer but the term customer will also include certain nonmembers. A nonmember may also have a customer relationship with a credit union in certain circumstances.

As explained more fully in the discussion of proposed § 716.4, a consumer becomes a customer of a credit union at the time of entering into a continuing relationship with the credit union. Ordinarily, a consumer will enter into a continuing relationship with the credit union at the time the consumer becomes a member. In some cases, a nonmember may also enter into a continuing relationship with a credit union. This may occur, for example, when a nonmember acts as a guarantor on a loan for a member or is listed by a member as a joint account holder. Another example of nonmembers who would qualify as customers are individuals who establish a share account at a low-income designated credit union.

The distinction between consumers and customers determines what notices a credit union must provide. If a consumer never becomes a customer, then, unless the credit union intends to disclose nonpublic personal information outside of the exceptions about that consumer to nonaffiliated third parties, the credit union is not required to provide any privacy notices. By contrast, if a consumer becomes a customer, the credit union must provide a copy of its privacy policy prior to the time it establishes the customer relationship and at least annually thereafter during the continuation of the customer relationship.

(j) Customer relationship. The proposed rule defines “customer relationship” to mean a continuing relationship between a consumer and the credit union whereby the credit union provides a financial product or service to a consumer that is to be used primarily for personal, family, or household purposes. NCUA's definition parallels the other Agencies' definition of customer relationship, but highlights in the examples the circumstances as applicable to members and nonmembers.

Because the GLB Act requires annual notices of the credit union's privacy policies to customers, NCUA and the Agencies have interpreted the Act as requiring more than isolated transactions between a financial institution and a consumer to establish a customer relationship, unless it is reasonable to expect further contact between the institution and consumer afterwards. Thus, the proposed rule defines “customer relationship” as one that is of a continuing nature.

NCUA has changed the examples in this subsection to reflect that a member will necessarily have a continuing relationship with a credit union but that certain nonmembers may also have a continuing relationship and, therefore, be entitled to the same notices and disclosures that the credit union must provide to its members. These circumstances include where a nonmember has a joint account with a member, where a nonmember has an account with a low-income credit union, or where a credit union owns or services a nonmember's loan.

The examples that follow the definition of “customer relationship” clarify, for instance, that using an automated teller machine at a credit union at which a consumer transacts no other business or purchasing of traveler's checks would not constitute a continuing relationship. While a person engaging in one of these types of transactions would be a consumer under the regulation (thereby requiring the credit union to provide notices if the credit union intends to disclose nonpublic personal information about the consumer to nonaffiliated third parties outside of the exceptions), the consumer would not be a customer. Even if a consumer repeatedly engages in transactions of this sort, such as withdrawing funds at regular intervals from an ATM owned by a credit union with whom the consumer has no Start Printed Page 10991customer relationship, the consumer will not be considered a customer.

The examples also clarify that a nonmember will have a customer relationship if a credit union has purchased the nonmember's loan or services a nonmember's loan.

(k) Financial institution. The proposed rule defines “financial institution” as any institution the business of which is engaging activities that are financial in nature, or incidental to such financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). The proposed rule also exempts from the definition of “financial institution” those entities specifically excluded by the GLB Act.

(l) Financial product or service. The proposed rule defines “financial product or service” as a product or service that a financial institution could offer as an activity that is financial in nature, or incidental to such a financial activity, under section 4(k) of the Bank Holding Company Act of 1956, as amended. It includes the credit union's evaluation of information collected in connection with an application by a consumer for a financial product or service. It also includes the distribution of information about a consumer for the purpose of assisting the consumer to obtain a financial product or service. Thus the definition includes nonpublic personal information provided by a consumer in an application for a financial product or service that ultimately is rejected or withdrawn. An activity that is complementary to a financial activity, as described in section 4(k), is not included in the definition of “financial product or service” under this part.

(m) Government regulator. The proposed rule adopts the definition of “government regulator” that includes each of the Agencies with enforcement authority under the statute, including State insurance authorities under the circumstances identified in the definition. This term is used in the exception set out in proposed § 716.11(a)(4) for disclosures to law enforcement agencies, “including government regulators.”

(n) Nonaffiliated third party. The proposed rule defines “nonaffiliated third party” as any person (which includes natural persons as well as corporate entities such as corporations, partnerships, trusts, and so on) except (1) an affiliate of a credit union, and (2) a joint employee of a credit union and a third party. This definition is intended to be substantively the same as the definition used in section 509(5) of the GLB Act.

(o) Nonpublic personal information. Section 509(4) of the GLB Act defines “nonpublic personal information” to mean “personally identifiable financial information” (which term is not defined in the Act) that is: provided by a consumer to a financial institution; results from any transaction with the consumer or any service performed for the consumer; or is otherwise obtained by the financial institution. Any list, description, or other grouping of consumers—and “publicly available information” (which also is undefined in the GLB Act) pertaining to them—that is derived using any nonpublic personal information other than publicly available information also is included in the definition of “nonpublic personal information.”

The proposed rule implements this provision of the GLB Act by restating, in paragraph (1) of proposed § 716.2(o), the two categories of information described above. The example that follows the general definition clarifies that publicly available information and other identifying information about consumers, such as addresses and social security numbers, would be considered nonpublic personal information if the information is derived from information provided by a consumer or from customer accounts at, or other relationships with, a financial institution.

The proposed rule excludes publicly available information from the scope of “nonpublic personal information” only in two circumstances. The first is when the information is part of a list, description, or other grouping of consumers that is derived without using personally identifiable financial information. The second is when information, not provided by a consumer and not resulting from a transaction with the consumer, is otherwise obtained by a credit union in connection with providing a financial product or service to the consumer. However, in order for the information to be considered “publicly available”, the information must be obtained from government records, widely distributed media, or government-mandated disclosures. The fact that information is available from those sources is immaterial if the credit union does not actually obtain the information from one of them.

Some of the other Agencies are considering an alternative definition of “nonpublic personal information” that would permit a financial institution to release publicly available information regardless of the source but would still prohibit the release of this information as part of a list, description or other grouping of consumers that is derived using personally identifiable financial information. This will produce a different result in the situation where a credit union wants to disclose the name, address, or other information available to the general public about an individual. In that situation, the proposed rule requires compliance with the notice and opt out requirements if the credit union received the information from the individual. The alternative definition would not, because the information would not be part of a list, description, or other grouping of consumers. NCUA invites comment on both alternatives.

NCUA also specifically invites comment on whether the definition of “nonpublic personal information” would cover information about a consumer that contains no indicators of a consumer's identity. For instance, if a credit union provided aggregate information about its mortgage loans (such as loan-to-value ratios, interest rates, census tracts of mortgaged property, payment history, credit scores, and income) to a nonaffiliated third party for the purpose of preparing market studies, would the lender, without notice or opt out to the consumer, be permitted to do so if the information contains no personal identifiers?

(p) Personally identifiable financial information. The GLB Act defines “nonpublic personal information” to include “personally identifiable financial information” but does not define the latter term.

As a general matter, the rule treats any personally identifiable information as financial if it is obtained by a credit union in connection with providing a financial product or service to a consumer. NCUA believes that this approach creates a workable and clear standard for distinguishing information that is financial from information that is not, while at the same time giving meaning to the word “financial.” NCUA recognizes that this may result in certain information being covered by the rules that typically is not thought of as financial, such as health status. However, the broad scope of what is deemed a “financial product or service” under the GLB Act requires a comparably broad scope of what is deemed “financial information.” NCUA specifically invites comment on the proposed definition of “personally identifiable financial information.”

The proposed rule defines “personally identifiable financial information” to include three categories of information. The first category is any information that a consumer provides a Start Printed Page 10992credit union in order for the credit union to provide a financial product or service to that consumer. As noted in the examples that follow the definition, this would include information provided on an application to obtain a loan, credit card, or other financial product or service. If, for instance, medical information is provided on an application to obtain a financial product or service, that information would be considered “personally identifiable financial information” for purposes of the proposed rule.

The second category of information covered by the proposed definition of “personally identifiable financial information” includes any information resulting from any transaction between the consumer and the credit union involving a financial product or service. This would include, as noted in the examples following the definition, account balance information, payment or overdraft history, and credit or debit card purchase information.

The third category includes any financial information about a consumer otherwise obtained by the credit union in connection with providing a financial product or service. This would include, for example, information obtained from a consumer report or from an outside source to verify information a consumer provides on an application to obtain a financial product or service. It would not include, however, information that is publicly available.

The examples note that the definition of “personally identifiable information” does not include a list of names and addresses of people who are customers of an entity that is not a financial institution. Thus, the names and addresses of people who subscribe, for instance, to a particular magazine fall outside the definition. If, however, a credit union incorporates those names and addresses into a listing of one or more of the credit union's members or nonmember customers, then the entire list becomes nonpublic personal information.

NCUA notes that there are other laws that may impose limitations on disclosures of nonpublic personal information in addition to those imposed by the GLB Act and this proposed rule. For instance, the Fair Credit Reporting Act imposes conditions on the sharing of application information between affiliates and nonaffiliated third parties. The recently proposed Department of Health and Human Services regulations that implement the Health Insurance Portability and Accountability Act of 1996 would, if adopted in final form, limit the circumstances under which medical information may be disclosed. 64 FR 59918 (Nov. 3, 1999). State laws may also affect a credit union's ability to disclose information. Thus, credit unions will need to monitor and comply with relevant legislative and regulatory developments that affect the disclosure of consumer information.

(q) Publicly available information. The proposed rule defines “publicly available information” as information lawfully made available to members of the general public that is obtained from three broad types of source. First, it includes information from official public records, such as real estate recordations or security interest filings. Second, it includes information from widely distributed media, such as a telephone book, television or radio program, or newspaper. Third, it includes information from disclosures required to be made to the general public by federal, state, or local law, such as securities disclosure documents. The proposed rule states that information obtained over the Internet will be considered publicly available information if the information is obtainable from a site available to the general public without requiring a password or similar restriction. NCUA invites comment on what information is appropriately considered publicly available, particularly in the context of information available over the Internet.

(r) You. This term refers to all federally-insured credit unions.

Section 716.4 Initial Notice to Consumers of Privacy Policies and Practices Required

The GLB Act requires a financial institution to provide an initial notice of its privacy policies and practices in two circumstances. For customers, the notice must be provided at the time of establishing a customer relationship. For credit unions, ordinarily this will be at the time an individual applies for membership. For consumers who do not become customers, the notice must be provided prior to disclosing nonpublic personal information about the consumer to a nonaffiliated third party. In addition, as discussed more fully in § 716.8, a revised notice must be provided to consumers prior to disclosing nonpublic personal information if a credit union's policies have changed.

Proposed § 716.4(a) states the general rule regarding these notices. It requires a credit union to provide a clear and conspicuous notice that accurately reflects the credit union's privacy policies and practices. A notice is clear and conspicuous if it is reasonably understandable and designed to call attention to the nature and significance of the information it provides. A credit union may not represent in the notice that it will provide certain protections and then fail to provide them; that would mean the notice is not accurate. NCUA expects that credit unions will take appropriate measures to ensure adherence to their stated privacy policies.

Affiliated institutions may use a common initial, annual, or opt out notice, so long as the notice is delivered in accordance with the rule and is accurate for all recipients. Similarly, the rule permits a credit union to establish different privacy policies and practices for different customers, so long as they receive notices that are accurate with respect to them. Credit unions could, for example, have different notices for members and for nonmember customers.

The proposed rule requires a credit union to provide an individual a privacy notice prior to the time that it establishes a customer relationship. Ordinarily, this will be at the time an individual applies for membership. For a nonmember, a credit union could provide the notice at the same time it provides other required notices, such as those required by the Truth-in-Lending Act. This approach is intended to strike a balance between (a) ensuring that consumers will receive privacy notices at a meaningful point along the continuum of “establishing a customer relationship” and (b) minimizing unnecessary burdens on credit unions that may result if a credit union is required to provide a consumer with a series of notices at different points in a transaction. Nothing in the proposed rule is intended to discourage a credit union from providing a privacy notice at an earlier point in the relationship to make it easier for an individual to compare several institutions' privacy policies and practices in advance of conducting transactions.

Proposed § 716.4(c) identifies the time the customer relationship is established as the point at which a credit union and a consumer enter into a continuing relationship. The examples NCUA provides differ from other Agencies to account for the member or nonmember relationship and the financial products or services that credit unions offer. The examples after the statement of the general rule inform the reader that, for a member, the relationship is established when the individual becomes a member. For nonmembers in relationships that are contractual in nature, such as share accounts, loans, or purchases of a nondeposit product, a customer relationship is established Start Printed Page 10993when the individual executes the contract necessary to conduct the transaction in question. In the case of a credit card, the nonmember customer relationship is established when the necessary step to open the credit card account is taken under a credit union's procedures.

For consumers that are not customers, the initial notice may be provided at any point before the credit union discloses nonpublic personal information to nonaffiliated third parties. An initial notice is not required if the credit union does not intend to disclose the information or intends to make only disclosures authorized by one of the exceptions in §§ 716.10 and 716.11.

NCUA recognizes that in some circumstances a nonmember customer does not have a choice as to the credit union with which he or she has a nonmember customer relationship, such as when a credit union purchases the nonmember customer's loan in the secondary market. In these situations, it may not be practicable for the credit union to provide a notice prior to establishing the nonmember customer relationship. NCUA invites comment on whether an exception is necessary for such circumstances and how an exception should be formulated.

Proposed § 716.4(d) sets out the rules governing how credit unions must provide the initial notices. The general rule requires initial notice be provided so that each recipient can reasonably be expected to receive actual notice. NCUA invites comment on who should receive a notice in situations where there is more than one party to an account.

The notice may be delivered in writing or, if the consumer agrees, electronically. Oral notices alone are insufficient. In the case of members or nonmember customers, the notice must be given in a way so that the member or nonmember customer may either retain it or access it at a later time. This would permit a credit union to provide access to an electronic version of the notice if the consumer agrees. This requirement that the notice be given in a manner permitting access at a later time does not preclude a credit union from changing its privacy policy. See proposed 12 CFR 716.8(c). Rather, the rules are intended only to require that a member or nonmember customer be able to access the most recently adopted privacy policy. NCUA requests comment on the regulatory burden of providing initial notices. Specifically, NCUA would appreciate learning the methods credit unions expect to use to provide initial notices.

Examples of acceptable ways the notice may be delivered include hand-delivering a copy of the notice, mailing a copy to the consumer's last known address, or sending it via electronic mail to a consumer who obtains a financial product or service from the credit union electronically. It would not be sufficient to provide only a posted copy of the notice in a lobby. Similarly, it would not be sufficient to provide the initial notice only on a Web page, unless the consumer is required to access that page to obtain the product or service in question. Electronic delivery generally should be in the form of electronic mail so as to ensure that a consumer actually receives the notice. In those circumstances where a consumer is in the process of conducting a transaction over the Internet, electronic delivery also may include posting the notice on a Web page as described above. If a credit union and consumer orally agree to enter into a contract for a financial product or service over the telephone, the credit union may provide the consumer with the option of receiving the initial notice after providing the product or service so as not to delay the transaction.

NCUA requests comment on whether there are situations where providing notice by mail is impracticable.

Section 716.5 Annual Notice to Customers Required

Section 503 of the GLB Act requires a financial institution to provide notices of its privacy policies and practices at least annually to its customers. The proposed rule implements this requirement by requiring a clear and conspicuous notice that accurately reflects the privacy policies and practices then in effect to be provided at least once during any period of twelve consecutive months. The rule governing how to provide an initial notice also applies to annual notices.

Section 503(a) of the GLB Act requires that the annual notices be provided “during the continuation” of a customer relationship. To implement this requirement, the proposed rules states that a credit union is not required to provide annual notices to a customer with whom it no longer has a continuing relationship. The examples that follow this general rule provide guidance on when there no longer is a continuing relationship for purposes of the rules. NCUA has changed these examples to reflect the concept of member and nonmember customer relationships. The examples include, for instance, when the member terminates the member relationship. For nonmembers, the examples include share accounts that are treated as dormant by a credit union, loans that are paid in full or charged off, or assets sold without retaining servicing rights. NCUA invites comment on whether the example of dormant accounts provides a sufficiently clear standard and whether the applicable standard should be the credit union's policies or applicable state law. In addition, NCUA invites comment on whether the standard should apply to members as well as nonmembers.

There may be certain nonmember customer relationships that do not present a clear event after which there is no longer a nonmember customer relationship. The proposed rule contains an example intended to cover these situations, stating that a relationship will no longer be deemed continuing for purposes of the proposed rule if the credit union has not communicated with a nonmember customer, other than providing an annual privacy policy notice, for a period of twelve consecutive months.

NCUA requests comment on the regulatory burden of providing annual notices. Specifically, NCUA would appreciate learning the methods credit unions expect to use to provide annual notices and whether credit unions will use different methods for providing initial notices than for providing annual notices.

Section 716.6 Information To Be Included in Initial and Annual Notices of Privacy Policies and Practices

Section 503 of the GLB Act identifies the items of information that must be included in a financial institution's initial and annual notices. Section 503(a) of the GLB Act sets out the general requirement that a financial institution must provide customers with a notice describing the institution's policies and practices with respect to, among other things, disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) of the Act identifies certain elements that must be addressed in that notice.

The required content is the same for both the initial and annual notices of privacy policies and practices. While the information contained in the notices must be accurate as of the time the notices are provided, a credit union may prepare its notices based on current and anticipated policies and practices.

The information to be included is as follows:

(1) Categories of nonpublic personal information that a credit union may collect.

A credit union must inform its customers about the categories of nonpublic personal information it Start Printed Page 10994collects. The proposed rule provides an example of how to comply with this requirement that focuses the notice on the source of the information collected. As noted in the example, a credit union will satisfy this requirement if it categorizes the information according to the sources, such as application information, transaction information, and consumer report information. Credit unions may choose to provide more detail about the categories of information collected but are not required to do so by the proposed rule.

(2) Categories of nonpublic personal information that a credit union may disclose.

A credit union's initial and annual notice must provide information about the categories of nonpublic personal information that may be disclosed either to affiliates or nonaffiliated third parties. This requirement is in proposed § 716.6(a)(2). The examples of how to comply focus on the content of information to be disclosed. As stated in the examples, a credit union may satisfy this requirement by categorizing information according to source and providing illustrative examples of the content of the information. These categories might include application information (such as assets and income), identifying information (such as name, address, and social security number), transaction information (such as information about account activity, account balances, and purchases), and information from consumer reports (such as credit history).

Credit unions are free to provide more detailed information in the initial and annual notices if they choose. Conversely, if a credit union does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of information disclosed.

(3) Categories of affiliates and nonaffiliated third parties to whom a credit union discloses nonpublic personal information.

Section 503(a) of the Act includes a general requirement that a financial institution provide a notice to its customers of the institution's policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties. Section 503(b) states that the notice required by section 503(a) shall include certain specified items. Among those is the requirement, in section 503(b)(1), that a financial institution inform its customers about its policies and practices with respect to disclosing nonpublic personal information to nonaffiliated third parties. NCUA and the other Agencies believe that, when read together, sections 503(a) and 503(b) of the GLB Act require a financial institution's notice to address disclosures of nonpublic personal information to both affiliates and nonaffiliated third parties.

The proposed rule states that a credit union will adequately categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information about consumers if it identifies the types of businesses that they engage in. Types of businesses may be described by general terms, such as financial products or services, if the credit union provides illustrative examples of the significant lines of businesses of the recipient, such as mortgage lending, insurance brokerage, or securities brokerage.

The GLB Act does not require a financial institution to list the categories of persons to whom information may be disclosed under one of the exceptions set out in proposed §§ 716.10 and 716.11. The proposed rule states that a credit union is required only to inform consumers that it makes disclosures as permitted by law to nonaffiliated third parties in addition to those described in the notice. NCUA invites comment on whether such a disclosure would be adequate.

If a credit union does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, its initial and annual notices may simply state this fact without further elaboration about categories of third parties.

(4) Information about former members and nonmember customers. Section 503(a)(2) requires the financial institution's initial and annual privacy notices to include the institution's policies and practices with respect to disclosing nonpublic personal information of persons who have ceased to be customers of the institution. Section 503(b)(1)(B) requires that this information be provided with respect to information disclosed to nonaffiliated third parties.

NCUA and the other Agencies have concluded that, when read together, sections 503(a)(2) and 503(b)(1)(B) require a financial institution to include in the initial and annual notices the institution's policies and practices with respect to sharing information about former customers with all affiliates and nonaffiliated third parties. This requirement is set out in the proposed rules at § 716.6(a)(4).

(5) Information disclosed to service providers. Section 502(b)(2) of the GLB Act permits a financial institution to disclose nonpublic personal information about a consumer to a nonaffiliated third party for the purpose of the third party performing services for the institution, including marketing financial products or services under a joint agreement between the financial institution and at least one other financial institution. In this case, a consumer has no right to opt out. However, the financial institution must inform the consumer that it will be disclosing the information in question, unless the service falls within one of the exceptions listed in section 502(e) of the Act.

The proposed rule implements these provisions, in proposed § 716.6(a)(5), by requiring that, if a credit union discloses nonpublic personal information to a nonaffiliated third party under the exception for service providers, the credit union is to include in the initial and annual notices a separate description of the categories of information that are disclosed and the categories of third parties providing the services. A credit union may comply with these requirements by providing the same level of detail in the notice as is required to satisfy the requirements in proposed §§ 716.6(a)(2) and (3).

(6) Right to opt out. As previously noted, sections 503(a)(1) and 503(b)(1) of the GLB Act require a financial institution to provide customers with a notice of its privacy policies and practices concerning, among other things, disclosing nonpublic personal information consistent with section 502 of the Act.

The proposed rule implements this requirement, in proposed § 716.6(a)(6), by requiring the initial and annual notices to explain the right to opt out of disclosures of nonpublic personal information to nonaffiliated third parties, including the methods available to exercise that right.

(7) Disclosures made under the FCRA. Section 503(b)(4) of the GLB Act requires a financial institution's initial and annual notice to include the disclosures required, if any, under section 603(d)(2)(A)(iii) of the FCRA. Section 603(d)(2)(A)(iii) excludes from the definition of “consumer report” the communication of certain consumer information among affiliated entities if the consumer is notified about the disclosure of such information and given an opportunity to opt out of that information sharing. The information that can be shared among affiliates under this provision includes information from consumer reports and Start Printed Page 10995applications for financial products or services. In general, this information represents personal information provided directly by the consumer to the institution, such as income and social security number, in addition to information contained within credit bureau reports.

The proposed rule implements section 503(b)(4) of the GLB Act by including the requirement that a credit union's initial and annual notice include any disclosures a credit union makes under section 603(d)(2)(A)(iii) of the FCRA.

(8) Confidentiality, security, and integrity. Section 503(a)(3) of the GLB Act requires the initial and annual notices to provide information about a financial institution's policies and practices with respect to protecting the nonpublic personal information of consumers. Section 503(b)(3) of the Act requires the notices to include the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information, in accordance with section 501. Section 501 requires the Agencies to establish standards governing the administrative, technical, and physical safeguards of customer information.

The proposed rule implements these provisions by requiring a credit union to include in the initial and annual notices the credit union's policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information. The example in the proposed rules states that a credit union may comply with the requirement as it concerns confidentiality and security if it explains matters such as who has access to the information and the circumstances under which the information may be accessed. The information about integrity should focus on the measures the credit union takes to protect against reasonably anticipated threats or hazards. The proposed rule does not require a credit union to provide technical or proprietary information about how it safeguards consumer information.

The Agencies are in the process of preparing the section 501 standards relating to administrative, technical, and physical safeguards, and intend to have those standards in place at the time the final privacy rules are issued. This will enable credit unions to reflect those standards in the initial and annual notices.

Section 716.7 Limitation on Disclosure of Nonpublic Personal Information About Consumers to Nonaffiliated Third Parties

Section 502(a) of the GLB Act generally prohibits a financial institution from sharing nonpublic personal information about a consumer with a nonaffiliated third party unless the institution provides the consumer with a copy of the institution's privacy policy. Section 502(b) of the Act adds the requirements that the financial institution provide the consumer with a clear and conspicuous notice that the consumer's nonpublic personal information may be disclosed to nonaffiliated third parties, that the consumer be given an opportunity to opt out of that disclosure, and that the consumer be informed of how to opt out.

Section 716.7 of the proposed rule implements these provisions. Paragraph (a)(1) of § 716.7 sets out the criteria that a credit union must satisfy before disclosing nonpublic personal information to nonaffiliated third parties. These criteria apply to direct and indirect disclosures through an affiliate. NCUA invites comment on how the right to opt out should apply in the case of joint accounts. Should, for instance, a credit union require all parties to an account to opt out before the opt out becomes effective? If not, and only one of the parties opts out, should the opt out apply only to information about the party opting out or should it apply to information about all parties to the account? NCUA also requests comment on how the opt out rights should be handled with respect to commingled trust accounts, where a trustee manages a single account on behalf of multiple beneficiaries.

Paragraph (a)(2) defines “opt out” in a way that incorporates the exceptions to the right to opt out stated in proposed §§ 716.9, 716.10, and 716.11. These exceptions permit disclosures of nonpublic personal information to nonaffiliated third parties without first providing the initial privacy notice and giving the consumer the right to opt out.

The proposed rule requires that a consumer be given an opportunity to opt out before information is disclosed by requiring that the opportunity be reasonable. The examples that follow the general rule provide guidance in situations involving notices that are mailed and notices that are provided in connection with isolated transactions. In the former case, a consumer will have a reasonable opportunity to opt out if the credit union provides 30 days in which to opt out. In the latter case, opportunity will be reasonable if the consumer must decide as part of the transaction whether to opt out before completing the transaction. NCUA invites comment on whether 30 days is a reasonable opportunity to opt out in the case of notices sent by mail, and on whether an example in the context of transactions conducted using an electronic medium would be helpful.

The requirement that a consumer have a reasonable opportunity to opt out does not mean that a consumer forfeits that right once the opportunity lapses. The consumer always has the right to opt out (this point is discussed further in proposed § 716.8, below). But, a decision to opt out at a time after the opportunity first is presented may result in nonpublic personal information being disclosed to nonaffiliated third parties for the period of time necessary to implement the consumer's opt out direction.

Paragraph (b) of proposed § 716.7 clarifies that the right to opt out applies regardless of whether a consumer has established a member or nonmember customer relationship with a credit union. As noted above, all members or nonmember customers are consumers under the proposed rules. Thus, the fact that a consumer establishes a member or nonmember customer relationship with a credit union does not change the credit union's obligations to comply with the requirements of proposed § 716.7(a) before sharing nonpublic personal information about that consumer with nonaffiliated third parties. This also applies in the context of a consumer who had a member or nonmember customer relationship with a credit union but then terminated that relationship. Paragraph (b) also clarifies that the consumer protections afforded by paragraph (a) of proposed § 716.7 apply to all nonpublic personal information collected by a credit union, regardless of when collected. Thus, if a consumer elects to opt out of information sharing with nonaffiliated third parties, that election applies to all nonpublic personal information about that consumer in the credit union's possession, regardless of when the information is obtained.

Paragraph (c) of proposed § 716.7 states that a credit union may, but is not required to, provide consumers with the option of a partial opt out in addition to the opt out required by this section. This could enable a consumer to limit, for instance, the types of information disclosed to nonaffiliated third parties or the types of recipients of the nonpublic personal information about that consumer. If the partial opt out option is provided, a credit union must Start Printed Page 10996state this option in a way that clearly informs the consumer about the choices available and consequences thereof.

Section 716.8 Form and Method of Providing Opt Out Notice to Consumers

Paragraph (a) of proposed § 716.8 requires that any opt out notice provided by a credit union under § 716.7 must be clear and conspicuous and accurately explain the right to opt out. The notice must inform the consumer that the credit union may disclose nonpublic personal information to nonaffiliated third parties, state that the consumer has a right to opt out, and provide the consumer with a reasonable means by which to opt out.

The examples that follow the general rule state that a credit union will adequately provide notice of the right to opt out if it: identifies the categories of information that may be disclosed; the categories of nonaffiliated third parties to whom the information may be disclosed; and that the consumer may opt out of those disclosures. A credit union that plans to disclose only limited types of information or to only a specific type of nonaffiliated third party may provide a correspondingly narrow notice to consumers. However, to minimize the number of opt out notices a credit union must provide, the credit union may wish to base its notices on current and anticipated information sharing plans. A new opt out notice is not required for disclosures to different types of nonaffiliated third parties or of different types of information, provided that the most recent opt out notice is sufficiently broad to cover the entities or information in question. Nor is a credit union required to provide subsequent opt out notices when a consumer establishes a new type of relationship with that credit union, such as becoming a member or nonmember customer, unless the credit union's opt out policies differ depending on the type of member or nonmember customer relationship.

The examples also suggest several ways in which a credit union may provide reasonable means to opt out, including check-off boxes, self-addressed stamped reply forms, and electronic mail addresses. A credit union does not provide a reasonable means of opting out in the opt out notice by requiring consumers to send their own letter informing the credit union of an opt out election. A credit union may honor letters, particularly with respect to delayed opt outs as described in paragraph (d).

Paragraph (b) applies the same rules to delivery of the opt out notice that apply to delivery of the initial and annual notices. In addition, paragraph (b) clarifies that the opt out notice may be provided together with, or on the same form as, the initial and annual notices. However, if the opt out notice is provided after the initial notice, a credit union must provide a copy of the initial notice along with the opt out notice. If a credit union and consumer orally agree to enter into a customer relationship, the credit union may provide the opt out notice within a reasonable time thereafter if the consumer agrees. NCUA invites comment on whether a more specific time by which the notice must be given would be appropriate.

Paragraph (c) sets out the rules governing a credit union's obligations in the event the credit union changes its disclosure policies. As stated in that paragraph, a credit union may not disclose nonpublic personal information to a nonaffiliated third party unless the credit union first provides a revised notice and new opportunity to opt out. The credit union must wait a period of time that is reasonable under the circumstances before disclosing information according to the terms of the revised notice in order to afford the consumer a reasonable opportunity to opt out. A credit union must provide the revised notice of its policies and practices and opt out notice to a consumer using the means permitted for providing the initial notice and opt out notice to that consumer under § 716.4(c) or § 716.8(b), respectively, which require that the notices be given in a manner so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, in electronic form.

Paragraph (d) states that a consumer has the right to opt out at any time. NCUA considered whether to include a time limit by which credit unions must effectuate a consumer's opt out election, but decided that the wide variety of practices of credit unions made one limit inappropriate. Instead, NCUA's rule requires that the sharing of nonpublic personal information stop promptly.

Paragraph (e) states that an opt out will continue until a consumer revokes it. The rules require that such revocation be in writing, or, if the consumer has agreed, electronically.

NCUA requests comment on the regulatory burden of complying with opt out notices. How do credit unions expect to give opt out opportunities? How many opt outs do credit unions expect to receive and need to process?

Section 716.9 Exception to Opt Out Requirements for Service Providers and Joint Marketing

Section 502(b) of the GLB Act creates an exception to the opt out rules for the disclosure of information to service providers and for marketing. A consumer will not have the right to opt out of disclosing nonpublic personal information about the consumer to nonaffiliated third parties under these circumstances, if the credit union satisfies certain requirements.

First, the credit union must, as stated in section 502(b), “fully disclose” to the consumer that it will provide this information to the nonaffiliated third party before the information is shared. This disclosure should be provided as part of the initial notice that is required by § 716.4. NCUA invites comment on whether the proposed rules appropriately implement the requirement of “full” disclosure in section 502(b).

Second, the credit union must enter into a contract with the third party that requires the third party to maintain the confidentiality of the information. This contract should be designed to ensure that the third party (a) will maintain the confidentiality of the information at least to the same extent as is required for the credit union that discloses it, and (b) will use the information solely for the purposes for which the information is disclosed or as otherwise permitted by §§ 716.10 and 716.11 of the proposed rules. NCUA invites comment on the application of proposed § 716.9(a)(2)(ii) in the context of credit unions that contract with credit scoring vendors to evaluate borrower creditworthiness. Specifically, would that section prohibit the vendor from using the consumer's information without the indicators of personal identity to re-validate the underlying model? Would using the information in this manner be beyond the lender's immediate purpose of determining the consumer's propensity to perform acceptably?

The GLB Act allows the Agencies to impose requirements on the disclosure of information pursuant to the exception for service providers beyond those imposed in the statute. NCUA, like the other Agencies, has not done so in the proposed rules, but NCUA invites comment on whether additional requirements should be imposed, and, if so, what those requirements should address. NCUA notes, for instance, that joint agreements have the potential to create reputation risk and legal risk for a credit union entering into such an agreement. NCUA seeks comment on whether the rule should require a credit Start Printed Page 10997union to take steps to assure itself that the product being jointly marketed and the other participants in the joint marketing agreement do not present undue risks for the credit union. These might include, for instance, ensuring that the credit union's sponsorship of the product or service in question is evident from the marketing of that product or service. NCUA also invites comments on any other requirements that would be appropriate to protect a consumer's financial privacy, and on whether the rules should provide examples of the types of joint agreements that are covered.

Section 716.10 Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

Section 502(e) of the GLB Act creates exceptions to the requirements that apply to the disclosure of nonpublic personal information to nonaffiliated third parties. Paragraph (1) of that section sets out certain exceptions for disclosures made, generally speaking, in connection with the administration, processing, servicing, and sale of a consumer's account.

Paragraph (a) of proposed § 716.10 sets out those exceptions, making only stylistic changes to the statutory text that are intended to make the exceptions easier to read. Paragraph (b) sets out the definition of “necessary to effect, administer, or enforce” that is contained in section 509(7) of the GLB Act.

The exceptions set out in proposed § 716.10, and the exceptions discussed in proposed § 716.11, below, do not affect a credit union's obligation to provide initial notices of its privacy policies and practices prior to the time it establishes a member or nonmember customer relationship and annual notices thereafter. Those notices must be provided to all members and nonmember customers, even if the credit union intends to disclose the nonpublic personal information only pursuant to the exceptions in § 10.

Section 716.11 Other Exceptions to Notice and Opt Out Requirements

As noted above, section 502(e) contains several exceptions to the requirements that otherwise would apply to the disclosures of nonpublic personal information to nonaffiliated third parties. Proposed § 716.11 sets out those exceptions that are not made in connection with the administration, processing, servicing, and sale of a consumer's account.

One of the exceptions stated in proposed § 716.11 is for disclosures made with the consent or at the direction of the consumer, provided the consumer has not revoked the consent. Following the list of exceptions is an example of consent in which a credit union that has received an application from a consumer for a mortgage loan informs a nonaffiliated insurance company that the consumer has applied for a loan and may need to purchase homeowner's insurance. Consent in such a situation would enable the credit union to make the disclosure to the third party without first providing the initial notice required by § 716.4 or the opt out notice required by § 716.7, but the disclosure must not exceed the purposes for which consent was given. The example also states that consent may be revoked by a consumer at any time by the consumer exercising the right to opt out of future disclosures. NCUA invites comment on whether safeguards should be added to the exception for consent in order to minimize the potential for consumer confusion. Such safeguards might include, for instance, that consent be written or that it be indicated on a separate signature line in a relevant document or on a distinct Web page.

Section 716.12 Limits on Redisclosure and Reuse of Information

Section 716.12 of the proposed rule implements the GLB Act's limitations on redisclosure and reuse of nonpublic personal information about consumers. Section 502(c) provides that a nonaffiliated third party that receives nonpublic personal information from a financial institution shall not, directly or through an affiliate of the third party, disclose the information to any person that is not affiliated with either the financial institution or the third party, unless the disclosure would be lawful if made directly by the financial institution. Paragraph (a)(1) sets out the GLB Acts redisclosure limitation as it applies to a credit union that receives information from another financial institution. Paragraph (b)(1) mirrors the provisions of paragraph (a)(1), but applies the redisclosure limits to any nonaffiliated third party that receives nonpublic personal information from a credit union.

The GLB Act appears to place the institution that receives the information into the shoes of the institution that disclosed the information for purposes of determining whether redisclosures by the receiving institution are “lawful.” Thus, the GLB Act appears to permit the receiving institution to redisclose the information to (1) an entity to whom the original transferring institution could disclose the information pursuant to one of the exceptions in §§ 716.9, 716.10, or 716.11, or (2) an entity to whom the original transferring institution could have disclosed the information as described under its privacy policies and practices, unless the consumer has exercised the right to opt out of that disclosure. Because a consumer can exercise the right to opt out of a disclosure at any time, the GLB Act may effectively preclude third parties that receive information to which the opt out right applies from redisclosing the information, except pursuant to one of the exceptions in §§ 716.9, 716.10, or 716.11. NCUA invites comment on whether the rule should require a credit union that discloses nonpublic personal information to a nonaffiliated third party to develop policies and procedures to ensure that the third party complies with the limits on redisclosure of that information.

Sections 502(b)(2) and 502(e)(as implemented by §§ 716.9, 716.10, and 716.11 of the proposed rule) describe when a financial institution may disclose nonpublic personal information without providing the consumer with the initial privacy notice and an opportunity to opt out, but those exceptions apply only when the information is used for the specific purposes set out in those sections. Paragraph (a)(2) of proposed § 716.12 clarifies this limitation on reuse as it applies to credit unions. Paragraph (a)(2) provides that a credit union may use nonpublic personal information about a consumer that it receives from a nonaffiliated financial institution in accordance with an exception under §§ 716.9, 716.10, or 716.11, only for the purpose of that exception. Paragraph (b)(2) applies the same limits on reuse to any nonaffiliated third party that receives nonpublic personal information from a credit union.

NCUA invites comment on the meaning of the word “lawful” as that term is used in section 502(c). NCUA specifically solicits comment on whether it would be lawful for a nonaffiliated third party to disclose information pursuant to the exception provided in proposed § 716.9. Under that exception, a credit union must comply with certain requirements before disclosing information to a nonaffiliated third party. Given that the statute and proposed rules impose those requirements on credit unions making the initial disclosure, NCUA invites comment on whether subsequent disclosures by the third party could satisfy the requirement that those disclosures be lawful when the credit union is not party to the subsequent disclosure. Start Printed Page 10998

Section 716.13 Limits on Sharing of Account Number Information for Marketing Purposes

Section 502(d) of the GLB Act prohibits a financial institution from disclosing, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. Proposed § 716.13 restates this statutory prohibition with minor stylistic changes intended to make the rule easier to read.

NCUA notes that there is no exception in Title V to the flat prohibition established by section 502(d). The Statement of Managers contained in the Conference Report to S. 900 encourages the Agencies to adopt an exception to section 502(d) to permit disclosures of account numbers in limited instances. It states—

In exercising their authority under section 504(b) [which vests the Agencies with authority to grant exceptions to section 502(a)-(d) beyond those set out in the statute], the agencies and authorities described in section 504(a)(1) may consider it consistent with the purposes of this subtitle to permit the disclosure of customer account numbers or similar forms of access numbers or access codes in an encrypted, scrambled, or similarly coded form, where the disclosure is expressly authorized by the customer and is necessary to service or process a transaction expressly requested or authorized by the customer.

NCUA, like the other Agencies, has not included an exception to the prohibition of section 502(d) in the proposed rules, however, because of concerns about the potential for abuse that exists when someone other than a credit union is able to access a consumer's account.

NCUA seeks comment on whether section 502(d) prohibits the disclosure by a credit union to a marketing firm of encrypted account numbers if the credit union does not provide the marketer the key to decrypt the number, and on whether an exception to the section 502(d) prohibition could avoid creating the risks that may arise when a third party is provided access to a consumer's account. NCUA also seeks comment on whether a flat prohibition as set out in section 502(d) might unintentionally disrupt routine, unobjectionable practices, such as the disclosure of account numbers to a service provider who handles the preparation and distribution of monthly checking account statements for a credit union coupled with a request by the institution that the service provider include literature with the statement about a product. In addition, NCUA invites comment on whether a consumer ought to be able to consent to the disclosure of his or her account number notwithstanding the general prohibition in section 502(d) and, if so, what standards should apply.

Section 716.14 Protection of Fair Credit Reporting Act

Section 506 makes several amendments to the FCRA to vest rulemaking authority in various agencies and to restore the Agencies' regular examination authority. Paragraph (c) of section 506 states that, except for the amendments noted regarding rulemaking authority, nothing in Title V is to be construed to modify, limit, or supersede the operation of the FCRA, and no inference is to be drawn on the basis of the provisions of Title V whether information is transaction or experience information under section 603 of the FCRA.

Proposed § 716.14 implements section 506(c) of the GLB Act by restating the statute, making only minor stylistic changes intended to make the rule clearer.

Section 716.15 Relation to State Laws

Section 507 of the GLB Act states, in essence, that Title V does not preempt any state law that provides greater protections than are provided by Title V. Determinations of whether a state law or Title V provides greater protections are to be made by the Federal Trade Commission (FTC) after consultation with the agency that regulates either the party filing a complaint or the credit union about whom the complaint was filed. Determinations of whether state or federal law afford greater protections may be initiated by any interested party or on the FTC's own motion.

Proposed § 716.15 is substantively identical to section 507, noting that the proposed rules (as opposed to the statute) do not preempt state laws that provide greater protection for consumers than does the regulation.

Section 716.16 Effective Date; Transition Rule

Section 510 of the GLB Act states that, as a general rule, the relevant provisions of Title V take effect 6 months after the date on which rules are required to be prescribed. However, section 510(1) authorizes the Agencies to prescribe a later date in the rules enacted pursuant to section 504. The provisions in sections 504 and 506 that vest various agencies with rulemaking authority have been effective as of the date on which the GLB Act was enacted, namely, November 12, 1999.

Proposed § 716.16 states, in paragraph (a), an effective date of November 13, 2000. This assumes that a final rule will be enacted within the time frame prescribed by section 504(a)(3). NCUA intends to provide at least six months following the enactment of a final rule for credit unions to bring their policies and procedures into compliance with the requirements of the final rule. NCUA invites comment on whether six months following adoption of final rules is sufficient to enable credit unions to comply with the rules.

Paragraph (b) of proposed § 716.16 provides a transition rule for consumers who were members or nonmember customers as of the effective date of the rules. Those member or nonmember customer relationships already will have been established as of the effective date so, the rules require that the initial notice be provided within 30 days of the effective date. NCUA invites comment on whether 30 days is enough time to permit a credit union to deliver the required notices, bearing in mind that the GLB Act contemplates at least a six-month delayed effective date from the date the rules are adopted.

If a credit union intends to disclose nonpublic personal information about someone who was a consumer before the effective date but who has not obtained any financial product or service from the credit union since then, it must first provide the notices required by §§ 716.4 and 716.7 and provide a reasonable opportunity to opt out.

If, in this instance, the credit union already is disclosing information about such a consumer, it may continue to do so without interruption until the consumer opts out, in which case the credit union must stop disclosing nonpublic personal information about that consumer to nonaffiliated third parties as soon as reasonably practicable.

Section 741.220 Privacy of Consumer Financial Information

This provision requires all federally-insured credit unions to adhere to the provisions in part 716.

III. Regulatory Procedures

A. Paperwork Reduction Act

NCUA invites comment on:

(1) Whether the collections of information in the proposed 12 CFR part 716 are necessary for the proper performance of NCUA's functions, including whether the information has practical utility; Start Printed Page 10999

(2) The accuracy of NCUA's estimate of the burden of the information collections;

(3) Ways to enhance the quality, utility, and clarity of the information NCUA must collect under this regulation;

(4) Ways to minimize the burden of the information collections on credit unions, including the use of automated collection techniques or other forms of information technology; and

(5) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Recordkeepers are not required to respond to this collection of information unless it displays a currently valid Office of Management and Budget (OMB) control number. NCUA is currently requesting a control number for this information collection from OMB.

This proposed regulation contains several disclosure requirements. Credit unions must prepare and provide the initial notice to all current members and nonmember customers and all new members and nonmember customers upon the commencement of a member or nonmember customer relationship. 12 CFR 716.4(a). Subsequently, credit unions must provide an annual notice to all members and nonmember customers at least once during a twelve-month period during the continuation of the member or nonmember customer relationship. 12 CFR 716.5(a). The credit union must provide the consumer with the opt out notice (and partial opt out notice, if applicable (see 12 CFR 716.7(a)(1)(iii)) prior to disclosing nonpublic personal information to certain nonaffiliated third parties. If a credit union wishes to disclose information in a way that is inconsistent with the notices previously given to a consumer, the credit union must provide consumers with revised notices. 12 CFR 716.8(c)).

This proposed regulation contains consumer reporting requirements. In order for consumers to invoke their right to opt out, they must respond to the credit union's opt out notice. 12 CFR 716.7(a)(2), (3)(i), and (c). The consumer has the right to change or update their opt out status with the credit union at any time. 12 CFR 716.8(d) and (e).

NCUA requests public comment on all aspects of the collections of information contained in this proposed rule, including consumer responses to the opt out notice and consumer changes to their opt out status with a credit union. In light of the uncertainty regarding what credit unions will do to comply with the opt out requirements and how consumers will react, NCUA estimates a nominal burden stemming from consumer responses of one hour per credit union, and will revisit this estimate in light of the comments NCUA receives.

NCUA will submit the collection of information requirements contained in the regulation to the OMB in accordance with the Paperwork Reduction Act of 1995. 44 U.S.C. 3507. The NCUA will use any comments received to develop its new burden estimates. Comments on the collections of information should be sent to Office of Management and Budget, Reports Management Branch, New Executive Office Building, Room 10202, Washington, DC 20503; Attention: Alex T. Hunt, Desk Officer for NCUA. Please send NCUA a copy of any comments you submit to OMB.

The likely respondents are federally-insured credit unions.

Estimated number of respondents: 10,627.

Estimated average annual burden hours per respondent: 45 hours.

Estimated total annual disclosure and recordkeeping burden: 478,215.

B. Regulatory Flexibility Act

The Regulatory Flexibility Act requires NCUA either to prepare an initial regulatory flexibility analysis (IRFA) with this proposed rule or certify that the proposed rule would not have a significant economic impact on a substantial number of small credit unions. For purposes of the Regulatory Flexibility Act and in accordance with NCUA's authority under 5 U.S.C. 601(4), NCUA has determined that small credit unions are those with less than one million dollars in assets. See 12 CFR 791.8(a). NCUA cannot at this time determine whether the proposed rule would have a significant economic impact on a substantial number of small credit unions. Therefore, NCUA includes the following IRFA.

The supplementary material above contains a description of the reasons why NCUA is considering action and a statement of the objectives of, and legal basis for, the proposed rule. NCUA's proposed rule will apply to approximately 1,626 small credit unions, out of a total of approximately 10,627 federally-insured credit unions.

Overlap with other federal rules. While the scope of the proposed regulation (pursuant to the GLB Act) is unique, it may, in certain circumstances, overlap with the following statutes and regulations:

1. The Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)) requires a credit union that (i) does not want to be treated as a consumer reporting agency and (ii) desires to share certain consumer information (that is, application or credit report information) with its affiliates, to provide the consumer with a clear and conspicuous notice and an opportunity to opt out of such information sharing.

2. At the time a consumer contracts for an electronic fund transfer service, the Electronic Funds Transfer Act (15 U.S.C. 1693c(a)(9)) requires the credit union to disclose the terms and conditions of the transfer, including under what circumstances the credit union will in the ordinary course of business disclose information concerning the consumer's account to third persons.

3. The recently proposed Department of Health and Human Services regulations that implement the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 3120d-1 et seq.) would, if adopted in final form, limit the circumstances under which medical information may be disclosed. 64 FR 59918 (Nov. 3, 1999).

4. The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6502) (under which the NCUA must enforce the Federal Trade Commission's implementing regulations) generally requires online service operators collecting personal information from a child to obtain parental consent and post a privacy notice on the web site.

New compliance requirements. The proposed rule contains new compliance requirements for credit unions, most of which are required by the GLB Act. The credit unions will be required to prepare notices of their privacy policies and practices and provide those notices to consumers as the rule specifies. Credit unions that disclose nonpublic personal information about consumers to nonaffiliated third parties will be required to provide opt out notices to consumers as well as a reasonable opportunity to opt out of certain disclosures. Credit unions will have to develop systems for keeping track of consumers' opt out directions. Some credit unions, particularly those that decide to disclose nonpublic information about consumers to nonaffiliated third parties, will likely need the advice of legal counsel to ensure that they comply with the rule, and may also require computer programming changes and additional staff training. NCUA does not have a practicable or reliable basis for quantifying the costs of the proposed rule or any alternatives, but seeks comment on the potential costs.

Exemptions for small credit unions. NCUA seeks comment on whether the Start Printed Page 11000requirements of the Act and this rule will create additional burden for small credit unions, particularly those that disclose nonpublic personal information about consumers to nonaffiliated third parties. The rule applies to all federally-insured credit unions, regardless of size. The Act does not provide NCUA with the authority to exempt a small credit union from the requirement to provide a notice of its privacy policies and practices to a consumer with whom it establishes a member or nonmember customer relationship. Although NCUA could exempt small credit unions from providing a notice and opportunity for consumers to opt out of certain information disclosures, NCUA does not believe that such an exemption would be appropriate, given the purpose of the Act to protect the confidentiality and security of nonpublic personal information about consumers. NCUA believes that the burden is relatively small for credit unions that do not disclose nonpublic personal information about consumers to nonaffiliated third parties. These credit unions may provide relatively simple initial and annual notices to consumers with whom they establish member or nonmember customer relationships.

NCUA recognizes that the Congressional Conferees on the Act wished to ensure that smaller financial institutions are not placed at a competitive disadvantage by a statutory regime that permits certain information to be shared freely within an affiliate structure while limiting the ability to share that same information with nonaffiliated third parties. The Conferees stated that, in prescribing regulations, the federal regulatory agencies should take into consideration any adverse competitive effects upon small commercial banks, thrifts, and credit unions. See H.R. Conf. Rep. No. 106-434, at 173 (1999). At this time, it is not clear if information-sharing among affiliates in large institutional entities will place small credit unions at a disadvantage. NCUA believes that further experience under the regulation would be appropriate before considering any exemptions in this area for small credit unions.

NCUA requests comment on the burdens associated with the proposed rule and whether any exemptions for small credit unions would be appropriate.

C. Executive Order 13132

Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on state and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This proposed rule, if adopted, will apply to all federally-insured credit unions, but it will not have substantial direct effects on the states, on the relationship between the national government and the states, or on the distribution of power and responsibilities among the various levels of government. Section 507 of the GLB Act states that state law may provide greater consumer protections than this proposed rule. In that event, federal law would not preempt state law. NCUA has determined the proposed rule does not constitute a policy that has federalism implications for purposes of the Executive order.

D. The Treasury and General Government Appropriations Act, 1999—Assessment of Federal Regulations and Policies on Families

NCUA has determined that the proposed rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998).

IV. Agency Regulatory Goal

NCUA's goal is clear, understandable regulations that impose minimal regulatory burden. We request your comments on whether the proposed amendment is understandable and minimally intrusive if implemented as proposed.

List of Subjects

12 CFR Part 716

• Consumer protection
• Credit unions
• Privacy
• Reporting and recordkeeping requirements

12 CFR Part 741

• Bank deposit insurance
• Credit Unions
• Reporting and recordkeeping requirements

For the reasons set out in the preamble, it is proposed that 12 CFR chapter VII be amended by adding a new part 716 to read as follows:

PART 716—PRIVACY OF CONSUMER FINANCIAL INFORMATION

Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 1751 et seq.

PART 741—REQUIREMENTS FOR INSURANCE

1. The authority citation for part 741 continues to read as follows:

Authority: 12 U.S.C. 1757, 1766, and 1781-1790. Section 741.4 is also authorized by 31 U.S.C. 3717.

2. Add § 741.220 to part 741 to read as follows: