CUNA Comment Letter
Proposed Rule Part 716 Model Form for Privacy Notices
May 25, 2007
Ms. Mary Rupp
Secretary of the Board
National Credit Union Administration Board
1775 Duke Street
Alexandria, VA 22314-3428
RE: Proposed Rule Part 716 Model Form for Privacy Notices
Dear Ms. Rupp:
The Credit Union National Association (CUNA) appreciates the opportunity to comment on an interagency proposal that will provide model forms of the initial and annual privacy notices that financial institutions are required to provide consumers under the Gramm-Leach-Bliley Act. There will be a two-page model form for institutions that are not required to provide consumers with the ability to opt-out of information sharing and a three-page model form for institutions that are required to provide this opt-out right. Under the proposal, financial institutions will be required to use these model forms if they want to guarantee compliance with the privacy rules. CUNA represents approximately 90 percent of our nations 8,600 state and federal credit unions.
Summary of CUNA's Position
- Although the current privacy notices issued by certain types of financial institutions have been criticized as overly complex and have not proven useful for consumers, we believe such criticisms do not apply to the privacy notices issued by credit unions, especially for credit unions that do not need to provide their members with the right to opt-out of information sharing. For this reason, we believe credit unions and other financial institutions should continue to be allowed to use their current notices if they otherwise comply with the current privacy rules.
- We do agree that the proposed model forms will be relatively easy to understand,
especially as compared to the complex forms used by larger financial institutions that
have complex information sharing provisions. However, we offer the following suggestions
for improving these model forms:
- There should be no restriction that the information be printed on one side of an 8½ by 11 piece of paper, as this would drastically increase paper and postage costs, without any corresponding benefits for consumers.
- Financial institutions should not be prohibited from incorporating these notices with other information, as long as these notices are clear and conspicuous.
- The model forms should be more flexible to allow financial institutions to include additional information about provisions of State laws that may apply and guidance on other issues, such as identity theft and the Federal Trade Commissions (FTCs) Do Not Call Registry.
- To the extent credit unions may use the model forms, they should be permitted to use the term member instead of customer.
- With regard to the provisions of the model form on the sharing of information among affiliates, such as credit union service organizations (CUSOs), the form should be clarified to indicate that the opt-out right applies to information used for marketing purposes, and the form should not state that information may be shared thirty days after the consumer receives the notice, since thirty days is only a suggested time period.
- Although financial institutions are only required to honor a consumers request to opt-out of information sharing with affiliates for five years, as stated on the model form, credit unions are likely to honor the request indefinitely.
- Consumers should be informed about any changes in an institutions privacy practices. This may be included in the privacy notice or in a cover letter that accompanies the notice.
- The financial regulators should develop and make available on their websites a readily accessible and downloadable model form that institutions can use to create their own notices by filling in the required information.
- We believe consumers should not be required to provide a Social Security number and other personal information when exercising the right to opt-out of certain information sharing, other than providing their full name and truncated account number.
- The proposed one-year transition period should be sufficient, which will allow financial institutions to use and distribute their current privacy notices for one year after the effective date of the model forms.
Although credit unions recognize that the current privacy notices issued by certain types of financial institutions have been criticized as overly complex and have not proven useful for consumers, we believe such criticisms do not apply to the privacy notices issued by credit unions. Credit unions for the most part use very short and simple notices, since they do not share information in a manner that requires them to provide their members with the right to opt-out of the information sharing. Other credit unions do provide an opt-out right as they may share information with CUSOs, for example, but these notices are also relatively simple as these CUSO relationships are relatively uncomplicated, as compared to the affiliate relationships at the larger financial institutions.
In the years since the current privacy rules have been in effect, there has been no indication whatsoever that credit union members believe that the notices they receive from credit unions are overly long or complex. Requiring credit unions and others to abandon their current notices will not solve the problems caused by the more complex notices being used by those institutions that have more extensive information sharing arrangements.
The National Credit Union Administration (NCUA) and the other financial institution regulators have specifically requested comment as to whether institutions should continue to be allowed to use the simplified notices, as permitted under the current privacy rules. For the reasons noted above, we believe credit unions should still be allowed to use these notices, as well as the other types of notices that they currently use. These notices comply with the requirements of the privacy rules and provide the information in a clear and conspicuous manner, as required under these rules.
We recognize that the proposed model forms are intended to provide a standardized format and language so consumers may easily compare notices from different financial institutions. However, not only are credit union notices already clear and concise, but they are also very similar as compared to other credit unions and institutions that use such notices, since they are all derived from the sample clauses that are currently included in the privacy rules. Financial institutions and their vendors have expended substantial amounts of time and money researching, developing, and testing the current notices. All of this effort will have been wasted if the proposed form is required in all situations, without any modifications.
Consumers should also have little difficulty comparing the relatively short and simple notices currently used by credit unions with the proposed model notices that would be used by the larger financial institutions with more extensive and complicated information sharing practices, which do not include credit unions. We agree that the proposed forms will be easier to understand, as compared to the current forms used by these larger institutions, and consumers should have little difficulty comparing the current notices used by credit unions with the proposed notices used by the larger institutions, even if they do not use the same standardized format.
We also believe that requiring smaller institutions to abandon their already simple notices will penalize credit unions and others that use these types of notices. This would be unfair since these simple notices have not been subject to criticisms as being complex and difficult to understand.
With regard to the proposed model forms, we agree these forms will be relatively easy to understand, as compared to those currently used by larger institutions with more extensive affiliate relationships, and will enable consumers to compare privacy policies among financial institutions. Again, we believe the current simple notices used by credit unions are also easy to understand and for the most part are actually shorter than the proposed model forms.
However, we have a number of suggestions that will improve these model forms, which we believe are necessary if all financial institutions will be required to use these forms in order to guarantee compliance with the privacy rules. Our primary concern is the proposed requirement that these forms be printed on only one side of an 8½ by 11 piece of paper that will either be two or three pages, depending on whether the consumer will have the right to opt-out of certain information sharing. This will drastically increase the costs of providing these notices as it will increase the amount of paper that will be used and will increase the costs of mailing these larger and longer notices.
In contrast, the current notices used by credit unions are usually printed on both sides of one page that is smaller than 8½ by 11. They are usually folded in order to use the space efficiently and in a manner that is easy-to-read.
For these reasons, the additional costs and burden of being required to use only one side of a two or three page model form far outweighs any burden to the consumer, to the extent there is such a burden. The additional paper that would be required for the two or three page model form would also have a detrimental effect on the environment, which is contrary to other government and private sector initiatives that are designed to reduce the use of paper and other natural resources.
The proposal will also prohibit institutions from incorporating the privacy notices with other information. This appears to indicate that these notices cannot be included in other routine mailings, such as periodic and credit card statements, even if the privacy notice is a separate document. The privacy rules issued in 2000 allows a privacy notice to be included in other mailings, as long the notice is clear and conspicuous. We believe this standard should continue and that financial institutions should be allowed to incorporate the notices with other information, as long as they meet the clear and conspicuous standard. Although consumers have complained about notices that are overly complex, we do not believe there has been a concern that consumers have not been able to locate the notices that have been sent to them.
As noted above, NCUA and the other financial institution regulators are requesting comments on whether institutions should be allowed to continue to use the simplified notices, as allowed under the current rules. If the regulators do allow the continued use of these and other current notices that credit unions use, we request clarification that this would not require changing these notices to the format of the model forms that are currently being proposed. By this we mean there should be no requirement that current notices be printed on one side of an 8 ½ by 11 piece of paper or be subject to the print and font size, as described in the proposal. Again, we believe that the current version of these notices is already clear and easy-to-understand in their current format, and the costs and burden of changing the paper size or other aspects of these notices would be considerable, without any corresponding benefits to consumers.
Another concern we have with the proposed forms is the inflexibility with regard to the content. For example, many financial institutions, including credit unions, provide information on privacy notices about identity theft. Many consumers find this information useful and we feel it is very appropriate for this information to be included in the privacy notices, since protection against identity theft is one of the primary reasons consumers are concerned with the privacy of their personal information. Other information may also be included, such as the process for being included in the FTCs Do Not Call Registry, which we also believe would be appropriate for privacy notices.
Also, other states, such as Vermont and California impose additional limits on sharing information about Vermont and California residents. Nevada also requires an additional disclosure on the privacy notices for its residents. Financial institutions often include this additional information on their privacy notices, which would be important for consumers who live in these three States. We believe the proposed model form should allow institutions the additional flexibility to provide this information.
If credit unions are required or choose to use the model forms, we believe they should have the option of using the term member instead of the term customer that is used on the model form. Members own the credit union, which is very different than the customer relationship at banks and other financial institutions, and we believe the privacy notices should reflect this.
The proposed model form also attempts to incorporate the provisions of the Fair and Accurate Credit Transactions (FACT) Act that provides consumers with the opportunity to opt-out before an institution uses certain information provided by an affiliate to market its products or services to the consumer. For credit unions, this would include information sharing with CUSOs.
One problem is that the proposed form allows consumers to opt-out of sharing information about my creditworthiness with your affiliates for their everyday business purposes. However, the FACT Act allows a consumer to opt-out of this type of information sharing only if this information is to be used to market products and services to the consumer.
Another problem is that the proposed form states that information may be shared thirty days after the consumer receives the privacy notice. This will apply both to information shared with affiliates and with nonaffiliated parties, to the extent such information sharing if permitted. However, the privacy rules issued in 2000 and the proposed FACT Act affiliate information sharing rules that were issued in 2004 only require that consumers have a reasonable time to decide whether to opt-out of the information sharing, and thirty days is mentioned as an example of a reasonable time. Although we do not disagree that thirty days may be reasonable, the effect of the proposed form is to make the thirty days mandatory, which is not required under these rules.
With regard to affiliate information sharing, the model form indicates that the consumers election to opt-out of the information sharing will be honored for five years. NCUA and the other regulators have requested comment as to whether financial institutions will limit the opt-out period to five years. We believe credit unions that are subject to these requirements will likely not impose such a limitation. Such an approach will alleviate the need to provide notices at a later time to extend the opt-out period, and it will also make this process more consistent with the opt-out provisions with regard to information sharing with nonaffiliated parties.
NCUA and the other regulators have also requested comment on a number of other specific issues. One issue is whether financial institutions should be required to alert consumers to changes in the institutions privacy practices and whether this should be reflected in the model form. We would support such a disclosure, especially if an institution originally decides not to share information in situations in which the consumer has the right to opt-out of the sharing and then decides to share such information. Such changes could be explained either by providing an explanation on the privacy notice itself or by describing the change in a cover letter that accompanies the notice.
Another issue in which comment has been requested is whether the regulators should develop and make available on their websites a readily accessible and downloadable model form that institutions may use to create their own notices by filling in the required information. We believe this will be very helpful for those that would prefer to fill out such a form online and then be able to print out to send to their members or be able to provide these notices electronically for those members who agree to receive them in such a format.
NCUA and the other regulators have raised the issue as to whether it is necessary for consumers to provide the account number, Social Security number, or other personal information when opting out of certain information sharing. We believe that the consumers full name and truncated account number should be sufficient for purposes of complying with the opt-out request.
Finally, NCUA and the other regulators propose a one-year transition period in which current privacy notices may be provided for one year after the effective date of the model forms. As stated above, we do not believe the new model forms should apply to credit unions, but believe this one-year time period will be sufficient for those required to use them.
Thank you for the opportunity to comment on the proposed model privacy notices. If Board members or agency staff have questions about our comments, please contact Senior Vice President and Deputy General Counsel Mary Dunn or me at (202) 638-5777.
Senior Assistant General Counsel