CUNA Comment Letter
FACT Act Disposal Rule
July 9, 2004
Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Dear Ms. Baker:
The Credit Union National Association (CUNA) is pleased to respond to the National Credit Union Administrations (NCUAs) proposed rule regarding the disposal of consumer report information and records, as required under the Fair and Accurate Credit Transactions (FACT) Act. By way of background, CUNA is the largest credit union trade association, representing approximately 90% of our nations nearly 9,600 state and federal credit unions. The following comments were developed by CUNA with input from credit unions, credit union leagues, and CUNAs Consumer Protection Subcommittee, chaired by Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.
The FACT Act requires NCUA, the Federal Trade Commission (FTC), and the other federal financial institution regulators to issue comparable rules regarding the proper disposal of consumer report information that is also consistent with the Gramm-Leach-Bliley Act provisions on information security, as well as other similar provisions of federal law. NCUAs rule will apply to federal credit unions (FCUs), while the FTCs rule will apply to state-chartered and privately insured credit unions.
Summary of CUNAs Position
- CUNA generally supports the substantive provisions of the proposed rule regarding the disposal of consumer information. We believe, overall, that the proposal adequately balances the concerns of consumers and the industry.
- CUNA suggests that the definition of consumer information exclude information that cannot be identified as relating to any particular consumer and that the scope of the Guidelines for Safeguarding in Member Information be changed to eliminate the confusion between consumer information and member information.
- Compliance will be required within three months after the final rule is issued, and credit unions will have one year to modify contracts with service providers to incorporate the necessary requirements. We believe this time frame will be sufficient.
The proposed rule will require FCUs to develop, implement, and maintain appropriate measures to properly dispose of consumer information derived from consumer reports. The proposal also amends the current Guidelines for Safeguarding Member Information to address the disposal of consumer information, in addition to member information, which may or may not be the same.
CUNA generally supports the proposed rule regarding the disposal of consumer information, and we commend NCUAs efforts in drafting the proposed rule. We believe, overall, that the proposal adequately balances the concerns of consumers and the industry. The rule provides reasonable protections against identity theft and the unintended disclosure of consumer information, while providing sufficient latitude to FCUs regarding the disposal of such information.
The term consumer information is defined as any record of an individual in any form, paper or electronic, that is a consumer report or derived from a consumer report. The definition of consumer report is the same as currently used under the Fair Credit Reporting Act (FCRA), which generally means credit, reputation, personal, or mode of living information used to establish eligibility for credit, employment, and for certain other purposes. The rule also covers manipulation or combination of consumer information with other types of information, as well as when it is no longer considered a consumer report under the FCRA.
Although we generally support the substantive provisions of the proposed rule, we believe the proposed definition of consumer information in Part 717 and the scope of Appendix A to Part 748 should be modified to reduce unnecessary burdens on credit unions. The proposed definition appears to include all information from or derived from a consumer report whether or not the information may be identified with a particular individual. We believe Congress intended this undefined statutory term to include only consumer information that may be associated with a specific consumer. We do not think Congress intended to mandate that financial institutions incur additional burdens and costs solely to safeguard information that cannot be identified as relating to any particular consumer. This position is supported by the cross-reference in Section 216 of the FACT Act to the Gramm-Leach Bliley Act provisions on safeguarding information, which only applies to personally identifiable information. For this reason, we urge NCUA to exclude information that cannot be identified with a particular consumer from the scope of regulations that implement Section 216 of the FACT Act.
Another issue for credit unions concerns the terms, member and member information and the use of these terms in relation to consumer information. The Guidelines for Safeguarding Member Information refer only to member information, which does not include all consumer information envisioned by Section 216 of the FACT Act as credit unions may obtain consumer reports in various situations for nonmembers. The proposed rule attempts to address this problem of scope by inserting a cross-reference to the FCRAs requirements regarding the proper disposal of consumer information. However, the amended Appendix A to the Guidelines appears to represent the term consumer information as a subset of member information. This creates a potential problem, because when credit unions obtain consumer reports for nonmembers, the information is not technically member information. To eliminate this confusion, NCUA should modify the scope of the Guidelines to include all nonpublic personal information.
Although no methods of disposal are required, the proposal clarifies that such methods should ensure that the records are unreadable, such as by shredding or other means. We believe this approach is sufficient regarding proper disposal of consumer information, but credit unions would also welcome additional guidance. The FTC has included such guidance in its rule regarding the disposal of consumer information. We believe it may be useful if NCUAs rule references this guidance for those credit unions that may find it helpful. Additional guidance should also be considered in the future, as technology evolves and as the industry develops additional experience in this area.
The proposed rule is scheduled to be effective three months after the final rule is issued. Credit unions will have one year after the final rule is issued to amend contracts with service providers to incorporate the necessary requirements regarding the proper disposal of consumer information. We believe this time period for compliance will be sufficient for FCUs to adjust their systems and modify their contracts with service providers.
Thank you for the opportunity to comment on the proposed rule regarding the disposal of consumer information. If you have questions about our comments, please contact Associate General Counsel Mary Dunn or me at (202) 638-5777.
Assistant General Counsel