CUNA Comment Letter

CUNA Comment Letter on Gramm-Leach Bliley Act Privacy Safeguards Rule, 16 CFR Part 314

VIA E-MAIL: GLB501Rule@ftc.gov

October 8, 2001

Secretary
Federal Trade Commission - Room 159
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

RE: Gramm-Leach Bliley Act Privacy Safeguards Rule, 16 CFR Part 314 – Comment

Dear Sir or Madam:

The Credit Union National Association (CUNA) appreciates the opportunity to comment on the Federal Trade Commission’s (FTC’s) proposed rule on privacy safeguards. CUNA represents more than 90 percent of our nation’s 10,500 state and federal credit unions.

The FTC privacy safeguards rule will apply to approximately 400 credit unions that are not federally insured. CUNA is also interested in the FTC privacy rule because it will cover credit union service organizations (CUSOs) to the extent that such CUSOs are not covered under another agency’s privacy rule, such as those issued by the Securities and Exchange Commission. CUSOs are limited partnerships, corporations, or limited liability companies in which a credit union has made an investment and/or loan. CUSOs provide services that primarily serve credit unions or members of affiliated credit unions.

As required under the Gramm-Leach-Bliley Act, the FTC and other agencies issued privacy rules last year regarding the distribution of annual privacy notices to consumers and the procedures that financial institutions must use when providing consumers with the right to "opt out" of certain information disclosures. As with the proposed privacy safeguards rule, the privacy rules issued last year by the FTC apply to approximately 400 credit unions that are not federally insured and to CUSOs.

On March 31, 2000, CUNA submitted a comment letter to the FTC in response to the privacy rules that apply to the distribution of these annual privacy notices. In that letter, CUNA requested that the FTC allow non-federally insured credit unions to follow the privacy rule that was issued by the National Credit Union Administration (NCUA), while preserving the FTC’s enforcement authority over these credit unions. The final rule issued by the FTC incorporated this suggestion.

We believe this approach should also apply to the privacy safeguards rule and that the FTC should allow non- federally insured credit union to follow the privacy safeguards rule that was issued by NCUA earlier this year. Unlike the FTC’s rule, the rule issued by NCUA applies only to credit unions and, therefore, focuses on their unique structure and organization. Also, we believe that allowing all credit unions to rely on the same language may improve compliance because all credit unions will have the opportunity to receive consistent training.

Although similar in most respects, there are differences between the rules issued by the FTC and NCUA that would be alleviated if non-federally insured credit unions had the option to comply with NCUA’s rule. One significant difference is that NCUA incorporated the substantive provisions in an appendix containing detailed guidelines. The FTC rule does not include guidelines but, instead, includes many of these provisions within the rule itself.

Another difference important for credit unions is that the NCUA allows for a two-year grandfather clause with regard to agreements with service providers. Under this provision, credit unions and service providers have additional time to incorporate provisions in their contracts requiring service providers to maintain the security of the information. We believe that non-federally insured credit unions should also have this flexibility.

Again, providing non-federally insured credit unions with the option of complying with NCUA’s rule would not affect the FTC’s enforcement authority.

Thank you for the opportunity to comment on the FTC’s proposed rule on privacy safeguards. If you have questions about our comments, please give Associate General Counsel Mary Dunn or me a call at (202) 682-4200.

Sincerely,
Jeffrey Bloch Assistant General Counsel