CUNA Comment Letter

March 26, 2004

Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428

Re: Interagency Proposal on Privacy Notices
(Part 716)

Dear Ms. Baker:

The Credit Union National Association (CUNA) appreciates the opportunity to comment on an interagency proposal to consider alternative forms of the annual privacy notices that financial institutions are required to provide consumers under the Gramm-Leach-Bliley Act. CUNA represents more than 90 percent of our nation’s nearly 10,000 state and federal credit unions. The following comments were developed by CUNA with input from credit unions, credit union leagues, and CUNA’s Consumer Protection Subcommittee, chaired by Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.

Summary of CUNA's Position

The federal financial institution regulators, including NCUA (hereinafter referred to as the “Agencies”), have jointly issued this proposal to solicit comments on a wide range of issues associated with the format, elements, and language used in the privacy notices that would make the notices more accessible, readable, and useful. As part of this process, the Agencies are interested in receiving comments that may require regulatory changes, as well as those that may require changes to the statutory provisions of the Gramm- Leach-Bliley Act.

The proposal outlines the following approaches for simplifying the privacy notices:

Annual Privacy Notices in the Current Form are Unnecessary

The requirement to deliver privacy notices in their current form on an annual basis is unnecessary, especially for credit unions that are not required to provide their members with the right to opt-out of certain information-sharing. A privacy notice at the beginning of the relationship with the financial institution should be sufficient, as well as an additional notice whenever there is a change in the privacy policy. Instead of focusing on shortening or changing the language and format of the current notices, we propose the following approach, which would also achieve the Agency’s goal of streamlining this process:

Credit unions believe that the overriding goal of the privacy notices they deliver to their members is to reinforce and maintain the trust and confidence members currently have regarding information the credit union shares and safeguards. This goal will not be compromised by our proposal, as described above, to streamline the annual privacy notice process. Members already have such a high level of trust and confidence in their credit union to the extent that they may not have a need or desire to read the same notice that they received when they began their member relationship. Credit unions, as not-for-profit financial institutions owned by their members, have no interest in sharing information in a manner that would be harmful to their members. We also believe that even if the annual privacy notice requirements are changed, a number of credit unions may continue to deliver their full privacy notice on an annual basis as a means to reinforce their information-sharing practices and to assure their members that the information is adequately protected.

There is no Current Need to Change the Format or Language of Credit Union Privacy Notices

Although credit unions recognize that the current privacy notices issued by certain types of financial institutions have been criticized as overly complex and have not proven useful for consumers, we believe such criticisms do not apply to the privacy notices issued by credit unions. Credit union privacy notices are currently rather short and uncomplicated, as compared to notices issued by larger financial institutions with more extensive and complicated information-sharing practices. Also, as we discussed with the Agencies during our February 17, 2004 meeting regarding this proposal, a significant number of credit unions shared with us their members’ reactions to their privacy notices. An overwhelming majority informed us that neither the credit union nor their members have expressed concern that these notices are overly long or complex.

We also believe that a standardized format and standardized language may not benefit consumers. Most consumers receive numerous privacy notices from their financial institutions, brokerage firms, insurance companies, and other financial service providers. Consumers will be even less inclined to read each of these notices if they are all similar to each other, as they will have no desire to read the same boilerplate language over and over again.

Also, credit unions use certain terminology that is not used by other types of financial institutions, which will make standardization even more difficult. For example, credit unions often use the term “share drafts” instead of “checks” and “members” instead of “customers.”

If the Agencies pursue such standardization, we suggest that financial institutions should have the option of using the standardized format and language. Credit unions would appreciate the guidance that such models would provide if they were offered on a voluntary basis, and credit unions that elect to use such models should be deemed in compliance with the privacy rules.

Financial institutions should also always have the option to include any additional information in the notice that may be helpful for consumers. Because members may have been provided a right to opt-out of information-sharing at other financial institutions, a number of credit unions elect to explain in their privacy notices the reason that such a right is not provided with regard to the limited information-sharing practices that take place at the credit union. Many credit unions also include information about identity theft in their notices, a rapidly escalating financial crime that results from the misuse of personal information. It is primarily the risk of being a victim of identity theft that has caused consumers to take actions to protect their personal information.

The proposal also discusses the possibility of layering a short privacy notice in connection with a longer notice that would comply with the current requirements, either including the short notice on top of the longer notice if both are provided in paper or linking a short notice with a longer notice that would be available on a credit union website. Although financial institutions should certainly have the option of providing both a short and long version of their privacy notices, requiring a short notice would not be appropriate for credit unions. As discussed above, the “long” notice is already rather short and issuing these in connection with another “short” notice could be confusing because the member would actually receive two rather short notices that would be similar to each other. The member would not understand the reason for receiving two notices instead of one, and we suspect that very few members would be interested in reading two similar notices.

Requiring a financial institution to maintain two different notices describing its privacy policy would impose twice the administrative burden on institutions of reviewing and reprinting these notices on an annual basis. It is doubtful whether consumers would experience a comparable increase in their levels of understanding of the institutions’ privacy policies as a result of such a bifurcated notice requirement, particularly if their financial institutions’ existing privacy notices are already concise and easy for them to understand. If short privacy notices are required, credit unions would prefer to have access to a sample notice, approved by the regulators, for use as a reference. This would make the initial development of the short notice much easier because financial institutions would know what the regulators expect.

Based on this information, we do not at this time support changes in the privacy rules or statutes that would require changes in the language and format of the current privacy notices. The privacy rules currently do not prescribe any specific format or standardized wording for a financial institution’s privacy notice. Instead, institutions may design their own notices based on their individual practices, provided they are consistent with the law and meet the “clear and conspicuous” standard in the rules.

When these rules were issued in final form, credit unions undertook a comprehensive effort to draft their privacy notices, taking steps to ensure that the notices would be as concise as possible, easy for members to understand, and written using “plain English” wording and grammar. As a result of this difficult and costly process, which often included numerous revisions, privacy notices were developed that clearly and conspicuously describe credit unions privacy policies and in many cases also provide members with additional pertinent privacy-related information that is not required by the rules. As a result, credit unions have received relatively few negative comments from members on the content of the privacy notices.

However, credit unions are always willing to review specific proposals that may be offered by those that have been critical of the format and language of these privacy notices and to consider adopting changes that will help their members better understand how their information is shared.

Also, as the regulators proceed with this rulemaking process, they should take into consideration all types of privacy notices, including those issued by credit unions. The regulators should not implement rule changes that would impose additional burden on all financial institutions when some notices are already clear, conspicuous, and easy to understand.

Possible Suggestions if the Agencies are Committed to Changing the Privacy Notices

We appreciate that the Agencies are carefully considering how privacy notices can be shortened, at least in part in response to criticisms that privacy notices issued by certain financial institutions are rather lengthy. Although we believe this does not apply to credit union privacy notices, we do have suggestions to offer to alleviate such concerns if the Agencies are committed to changing the privacy notices.

One possible suggestion to simplify the privacy notices for both financial institutions and consumers is to require some type of notice only if the institution is required to provide the consumer with the right to opt-out of certain information-sharing. We believe this is the most practical approach and one that credit unions would overwhelmingly support because the opt-out option is for all practical purposes the only situation in which credit union members can control and actually take action to limit the information- sharing, other than to change their financial service provider.

Many of those that propose shorter privacy notices also stress the need for more clarity. We believe that these may be conflicting goals in that additional clarity may actually result in longer privacy notices. For example, more information would be needed to explain affiliate relationships and the meaning of the term “joint marketing agreements,” which encompass the marketing of products and services offered under joint agreements with other financial institutions.

As we discussed with the Agencies during the course of our February 17th meeting, one way to resolve these seemingly conflicting goals is for one or more of the Agencies, such as the Federal Trade Commission (FTC), to provide this additional information. For example, this could be included on the FTC’s website, and the privacy notices would provide links to the website or offer additional means if the consumer wants to obtain this information.

We also recognize that there are efforts to advocate changing the privacy notices in a manner that utilizes a format similar to nutrition labels that are currently used on food and beverage products, similar to certain of the appendices that the Agencies have included in the proposal. Although the simplicity of such an approach may be appealing, we believe that notices that are similar to current nutrition labels will not be able to include enough information for the consumer without a significant amount of additional consumer education. Privacy notices and food content are very different. Most consumers are familiar with terms such as “calories,” “fat,” “protein,” cholesterol,” and “carbohydrates,” but again, are not familiar with terms such as “affiliates” and “joint marketing agreements.” Also, although consumers may compare food and beverage products by comparing nutrition labels, there is no indication that consumers shop for financial products and services based on privacy policies.

If the goal of the Agencies is to shorten privacy notices, one approach may be to remove certain provisions of the current privacy notices. Here are suggestions with regard to deleting portions of the current notice:

Joint Marketing Agreements Must be Preserved

As mentioned above, we understand that the Agencies are open to receiving comments regarding current privacy notices, even to the extent that implementing such changes would require statutory changes. During the debate on the privacy provisions of the Gramm-Leach-Bliley Act, CUNA and others worked very hard to include provisions regarding joint marketing agreements. The Gramm-Leach-Bliley Act privacy provisions specifically allow information- sharing under these agreements without the need to provide consumers with the right to opt-out. This was necessary so that credit unions and other small financial institutions with few, if any, affiliates could compete effectively with larger financial institutions that have the ability to share information with their various affiliates without the need to provide their customers with the right to opt-out. It is imperative that these provisions not be amended to any extent that would adversely affect a credit union’s ability to compete effectively with larger institutions.

Any Changes to Privacy Notices Should be Considered in Connection with the FACT Act Rules that will be Issued Later this Year

President Bush this past December signed into law the Fair and Accurate Credit Transactions (FACT) Act that permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act. The law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information-sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.

The FACT Act will be implemented through a number of new rules that will be developed over the next several months. As a result of these rules, consumers will receive more information and additional means to protect themselves from identity theft and the damage that results when they become victims of this crime.

We believe that the consumers’ interest with regard to how their information is shared, as described in the privacy notices, derives primarily from the concern that such information may be used to commit identity theft or other crimes that may result in significant costs in terms of time and money. Because of this concern, we believe that it may be preferable to review possible changes to the privacy notices in connection with the FACT Act rules that will be issued later this year. These new rules will provide significant, additional protections in this area and there may be ways to integrate the information in the privacy notices with the information delivered to consumers that will be required as a result of the new FACT Act rules.

Credit Unions will Need Sufficient Time to Comply with any Changes to the Privacy Notices

Any changes with regard to the privacy notices will require a significant amount of time in order to implement as they will need to be phased in over the course of an annual privacy notice cycle. For example, if the agencies amend the privacy notice requirements in 2004, such changes should not be required until 2006 since they would have to be made and new notices delivered to consumers throughout 2005, depending on the time of year that each institution delivers its annual notice.

Thank you for the opportunity to comment on the Agencies proposal with regard to privacy notices. If Board members or agency staff have questions about our comments, please contact Associate General Counsel Mary Dunn or me at (202) 638-5777.

Sincerely,

Jeffrey Bloch
Assistant General Counsel