CUNA Comment Letter

Comments on the GLBA Information Sharing Study

VIA E-MAIL: study.comments@ots.treas.gov

May 1, 2002

Regulations and Legislation Division
Attn: Study on GLBA Information Sharing
Chief Counsel’s Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552

RE: Comments on the GLBA Information Sharing Study

Dear Sir or Madam:

The Credit Union National Association (CUNA) appreciates the opportunity to comment on the study being conducted by the Department of the Treasury (Treasury) and other federal agencies regarding the information sharing practices among financial institutions and their affiliates. The study is required by the Gramm-Leach- Bliley Act of 1999 (GLBA) and upon completion, the Secretary of the Treasury will submit a report to Congress of the study’s findings and conclusions, as well as possible recommendations for legislative or administrative actions.

CUNA is the country's largest credit union advocacy organization, representing approximately 90% of the nation's 10,500 state and federal credit unions. This letter reflects the opinions of those credit unions and the opinions of CUNA's Consumer Protection Subcommittee, chaired by Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.

Summary of CUNA’s Comments

Credit unions are very concerned about the privacy of their members’ information and have complied in good faith with the GLBA rules. Compliance with the GLBA rules has helped both credit unions and their members focus on and achieve the mutual goal of protecting this information to the extent possible.

Treasury has requested input on a series of questions designed to collect specific information regarding information sharing practices. As member-owned, not-for-profit cooperatives, credit unions do not share information, especially for the purpose of marketing products, to nearly the same extent as other financial institutions that seek to increase their profits through such practices. Also, for many of these questions, different credit unions may have different responses, depending on factors such as the size of the credit union and the needs of the particular membership.

For these reasons, and as the trade association representing most of this country’s credit unions, we believe that our role in this process should be to provide general comments and observations on information sharing practices among credit unions, rather than addressing every specific question that was included in the study. Under separate cover, we will forward to you by mail the responses that we have received from those credit unions that answered the specific questions. Also, as requested by Treasury, this letter will reference the specific question in the study to the extent that the comment relates to the topic addressed by that question.

Based on the input we received from credit unions, we offer the following comments:

Congress Should Preempt More Restrictive State Privacy Laws

Question 6(a) requests information as to whether existing laws are adequate to protect consumer privacy. We believe current laws are adequate and we also believe that the GLBA provisions should preempt state privacy laws that are more restrictive. Currently, the GLBA permits states to enact more restrictive privacy laws. Although fewer states are considering such laws this year, as opposed to last year, there is still the potential that a patchwork of state privacy laws will be developed eventually.

The costs of complying with the GLBA privacy rules has already been high and very burdensome for smaller financial institutions, such as credit unions. For banks and thrifts, which were the primary beneficiaries of the new powers and other benefits conferred by GLBA, perhaps these costs were a worthwhile price to pay for increased operating flexibility in other areas. Credit unions, however, which did not oppose new powers for banks and thrifts, received only new burdens from this legislation.

The costs of complying with additional state laws will increase this burden even further. Credit unions will be required to bear the costs of complying with various state laws, but also will have to monitor which of their members reside in a state with a more restrictive privacy law. Even if a credit union does not currently have members that reside in one of these states, the credit union will still have to monitor and comply if a member later moves to one of these states. As member-owned, not-for-profit cooperatives, the additional costs are borne by the members, either in the form of higher loan rates or lower rates on share deposit accounts.

Not only will the compliance costs be high, but it will be very difficult to train credit union staff on the specifics of each state law. We also believe that credit union members will be confused in understanding their privacy rights if a number of states enact privacy laws that vary from the GLBA privacy rules. Most credit unions are small financial institutions and often do not have the resources to employ more staff to monitor these additional requirements. Also, the regulatory burden on credit unions has already increased substantially this year. This includes several new rules that will be issued this year as a result of the USA Patriot Act of 2001, as well as new requirements that have recently been added to the Federal Reserve Board’s Regulation C, the Home Mortgage Disclosure Act.

If faced with a patchwork of state privacy laws that are more restrictive than the GLBA rules, it would be helpful if there was a repository of these laws maintained at a federal agency, such as Treasury or the Federal Reserve Board. This would provide financial institutions with one location in which they could receive information about state privacy laws, rather than having to constantly monitor the laws of all the states in which the institution conducts business. This would be of particular benefit to smaller financial institutions, such as credit unions, that may not have sufficient legal or compliance staff to assist them in these efforts.

Current GLBA Rules Adequately Balance Privacy Rights and the Need to Share Information

Question 6(b) of the study requests input on whether there should be new privacy laws and rules or whether current laws and rules should be revised. As stated above, CUNA strongly believes that existing laws adequately protect consumer privacy. When the privacy provisions of the GLBA were being drafted, Congress heard from those who supported strong privacy rights, as well as from those who opposed additional privacy protections out of concern that reduced information sharing would disrupt or increase the costs of products and service for consumers. Congress carefully considered these opposing viewpoints and drafted privacy provisions that carefully balance the need for additional privacy protections with the need to allow for continued information sharing to ensure that consumers receive products and services in a cost-efficient manner.

Questions 7(a) and (b) request input regarding the adequacy of privacy disclosures. We believe that current credit union privacy notices are designed to help consumers and that further revisions are unnecessary. The GLBA has now been in effect for two years and credit unions are now in the process of issuing the second of the annual privacy notices that are required to be distributed. As with other types of financial institutions, credit unions struggled in developing the initial privacy notices in early 2000. The difficulty in drafting these notices was the result of the need to comply with these new and complex rules, as well as the uncertainty as to what the regulators’ expectations were with regard to these new privacy notices.

Although the process was difficult and costly, credit unions were very successful in developing privacy notices that were in compliance with the new rules and were relatively short and easy to understand. Credit unions were successful because they want their members to understand how their information is used and because credit unions do not share information to the same extent as other types of financial institutions. The information sharing is not as extensive because as member-owned, not-for-profit cooperatives, credit unions do not focus on marketing products and services to increase profits as may be the case with other financial institutions.

We believe credit unions’ success with regard to privacy notices can be measured by the low rate in which members have opted out of information sharing when given this choice and by the lack of objection with regard to information that is shared without providing members with the ability to opt out. Credit union members have the ultimate vote with regard to the privacy of their personal information. Because credit unions are democratically controlled and member owned, if they are not pleased with how their information is shared, they can work with their credit union to change its practices.

Because credit unions have successfully developed privacy notices in compliance with the relatively new GLBA privacy requirements, at high cost and great effort, we at this time strongly oppose any changes that would result in a need to re-draft these notices. More time is needed to determine if these efforts have been successful in balancing the privacy rights of consumers with the need to share information for the purpose of providing products and services in a cost-efficient manner.

At the same time, we recognize that other types of financial institutions have developed notices that have been very complex and difficult to understand. In recognition of that, we would support an effort by the financial institutions’ industry and government to work together to develop voluntary guidelines and sample notices. CUNA would be pleased to participate in this effort and to share credit unions’ experiences in developing these notices.

Questions 4(a) and (b) request input on how information sharing benefits consumers and financial institutions. Information sharing allows credit unions to provide products and services in a cost efficient manner. This information sharing is not generally for the purpose of marketing products that are offered by other entities, but is necessary to provide services directly related to a member’s credit union account, such as providing information to vendors for purposes of printing checks. The credit union member benefits by receiving a product or service necessary to maintain the account and such benefits are not delayed in order to obtain permission to use personal information. This also results in cost savings for the credit union. Because credit unions are member-owned, not-for-profit cooperatives, this savings is passed directly to the members in the form of lower loan rates or higher rates on deposit accounts.

Questions 8(a) - (c) request input regarding different approaches to permit consumers to direct that certain information not be shared. The current privacy provisions are primarily based on an "opt-out" system in which certain information may be shared, as long as it is disclosed in the notice and the consumer elects not to opt out of the information sharing. We recognize that there are proposals in Congress and in certain states that would require an "opt in" approach for certain information in which the information is not shared, unless the consumer affirmatively agrees to allow for such sharing. We strongly oppose a scenario in which certain information would be subject to an "opt in" system and other information subject to an "opt out" system. This would be very difficult for credit unions to administer and members would be confused as to how they can control their personal information. Such a scenario would also result in more complex privacy notices for all types of financial institutions, including credit unions, which would conflict with the goal of simplifying the current notices.

CUNA would also strongly oppose any change that would alter the current exception in the privacy rules that allow for the sharing of information under the joint marketing agreements without providing consumers with the right to opt out. This exception allows smaller financial institutions to achieve the benefits of information sharing that are afforded to larger institutions that are permitted to share information with multiple affiliates without providing this opt out right.

CUNA was actively involved in the GLBA legislative process to ensure that credit unions would not find themselves at a competitive disadvantage to the new financial conglomerates that will be formed in the future as a result of the GLBA. (Of course, GLBA conferred direct benefits on banks and thrifts, but offered none to credit unions.) Congress specifically recognized the legitimate concerns raised by CUNA and others on behalf of smaller financial institutions and the federal regulators were directed, as part of the rulemaking process, to take into account any adverse competitive effects that may occur. CUNA also wanted to ensure that these provisions provided the necessary flexibility to allow credit unions to disclose financial information that is necessary for legitimate business purposes so that members may continue to receive high quality service and products in an efficient manner. We believe that the GLBA privacy provisions that facilitate the sharing of information under joint marketing agreements have helped to accomplish this goal.

Questions 9(a) and (b) request input regarding the ability of consumers to direct how information may be shared and the effects that this would have on consumers and financial institutions. Credit unions have experienced a number of occasions in which members have received privacy notices and then specifically requested that certain information not be shared even though credit unions are permitted to do so.

Under the GLBA rules, credit unions are not obligated to honor such requests. However, credit unions are not automatically rejecting them. Some credit unions will evaluate each request and may comply with such a request if it is feasible to do so without disrupting the operations of the credit union. We believe that this is the appropriate approach, as opposed to additional legal or regulatory requirements that would compel a specific response. Due to their member ownership, credit unions have a strong incentive to comply with reasonable requests with regard to the sharing of member information.

Future Efforts Should be Focused on Industry Guidelines and Standards that Address Fraud and Security.

With regard to privacy, we believe there are two issues that have been of concern to consumers. One has been the desire for more information and choices about how personal information is shared. The other has been the concern that such information will be used for fraudulent purposes, with identity theft being the primary concern in this area. We believe that fraud and identity theft are receiving greater focus because the GLBA rules have adequately addressed the need to give consumers more information about how their information is shared.

Questions 2(a) – (d) address the extent and adequacy of security procedures for the protection of personal information. We believe that future efforts with regard to privacy must now focus on these issues, primarily fraud and identity theft. One factor accounting for the increased escalation of these crimes has been the evolution of technology, especially the Internet. Although such technology has been of great benefit to consumers with regard to facilitating financial transactions, an unfortunate side effect has been the ease in which criminals can use this technology to compromise the security of personal information and to use it fraudulently.

The GLBA rules addressed this issue by requiring financial institutions to implement security programs to safeguard consumer information. The industry has also taken the lead in establishing industry guidelines in this area that take into account the rapid changes in technology. CUNA is a member of the Banking Industry Technology Secretariat (BITS), which has been working with the financial institutions industry to develop guidelines and standards to protect personal information, while taking into account the latest advances in technology.

One such effort that CUNA has been actively involved in has been the recent guidelines with regard to information technology (IT) service providers. These guidelines should be especially helpful for credit unions because they are likely to rely on outside IT vendors to a greater extent than larger financial institutions. We believe that by working with groups such as BITS, the industry can work cooperatively with government regulators and law enforcement authorities to address the problems of fraud and identity theft in a rapidly changing technological environment. In such an environment, both the industry and government must respond to rapid changes by implementing the best security procedures that are currently available and to be able to change these procedures as circumstances warrant. We believe that industry-developed guidelines would be preferable under these circumstances, as opposed to additional government regulations that may not be able to keep pace with the rapid changes in technology.

* * * * * * * * * * * *

As outlined above, credit unions have been and continue to be concerned about the privacy of their members’ information and have complied in good faith with the GLBA rules. They recognize that protecting privacy yields important benefits for both the credit union and the members.

Thank you for the opportunity to comment on the study regarding the information sharing practices among financial institutions and their affiliates. If you or agency staff have questions about our comments, please give Associate General Counsel Mary Dunn or me a call at (800) 356-9655.

Sincerely,
Jeffrey Bloch
Assistant General Counsel