CUNA Comment Letter
NCUA's Proposed Rule on the Fair Credit
December 22, 2000
Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428
Re: NCUA's Proposed Rule on the Fair Credit Reporting Act (Part 706, Subpart B)
Dear Ms. Baker:
The Credit Union National Association (CUNA) appreciates the opportunity to comment on the National Credit Union Administration's (NCUA's) proposed rule on the Fair Credit Reporting Act (FCRA). The privacy rule issued by NCUA earlier this year requires that the privacy notices include the disclosures that are required under the FCRA. The proposed FCRA rule is intended to conform certain requirements of the FCRA with the privacy rule to the extent possible.
CUNA represents more than 90 percent of our nation's 10,500 state and federal credit unions. This letter reflects the views of our member credit unions and of CUNA's Consumer Protection Subcommittee, chaired by Kris Mecham, CEO of Deseret First Credit Union, Salt Lake City, Utah.
Summary of CUNA's Position
In the proposed rule, NCUA has requested comment on a number of specific issues. Based on review of those issues and other concerns, CUNA recommends the following changes, which are described in further detail below:
- Compliance with the FCRA rule should not be required until the time that credit unions are required to deliver their 2002 annual privacy notice.
- Alternatively, compliance both with the notice requirements of the FCRA rule and of Part 716 of NCUA's Rules and Regulations should be delayed until July 16, 2001 to allow credit unions to provide the notices with their second quarter statements.
- The terms "transactions" and "experiences" should be defined.
- The FCRA rule should be amended or language included from the first Supplementary Information to clarify that credit unions have flexibility to combine the notices required under the FCRA rule with notices required under the privacy rule issued earlier this year.
- Examples should be provided to clarify the meaning of "clear and conspicuous" language and the standard for retention and accessibility of opt out notices that are delivered electronically.
- The proposed rule provides a 30-day time period as an example of a reasonable time that a member should have to respond to a notice from a credit union regarding the right to opt out of information sharing among affiliates. NCUA should not require that the 30-day time period be specified in the notice. We also believe that there are other situations where a different time period should be noted by way of an example.
- The FCRA rule should not impose a specific time period for credit unions to respond to a request from a member to opt out of information sharing among affiliates.
- The FCRA rule should adopt certain guidance contained in the Electronic Signatures in Global and National Commerce (E- Sign) Act regarding the definition of "electronic," how to determine the identity of the member who is communicating electronically, and the appropriate means for members to acknowledge the receipt of electronic notices.
- The FCRA rule should clarify our understanding that under the FCRA, financial institutions are permitted to share information with affiliates for certain purposes, such as processing accounts or transactions, without the need to provide consumers with notice and the right to opt out.
NCUA and the other financial institution regulators should consider delaying the effective date of the FCRA rule until 2002. Credit unions are well on their way in developing and completing the privacy notices that must be issued on or before July 1, 2001. If the FCRA rule is not delayed, then credit unions may be in a position where they have completed, or nearly completed, their privacy notices and then must revise those same notices to reflect the final FCRA rule before the notices are sent to the members.
There may even be situations where credit unions have already delivered their notices to members well before July 1, 2001 and then must deliver revised notices if the final FCRA rule requires changes and is issued after delivery of the privacy notices. Revising notices at a late date and the possibility of having to deliver to members an additional, revised notice to reflect the final FCRA rule will create a significant cost burden for credit unions. Members will also be confused if they receive multiple notices.
Another unfortunate situation may be that some credit unions may decide to delay the development and delivery of their privacy notices so that they can review and incorporate the requirements of the final FCRA rule before they devote a significant amount of resources to this process. Although this may avoid the need to issue revised notices, it may result in situations where credit unions wait for the final FCRA rule to be issued and then may not have enough time to develop and deliver adequate notices prior to July 1, 2001. We believe this could be significant problem because the final FCRA rule will likely not be issued until February or March, if not later.
Congress is also monitoring privacy issues closely and may impose new requirements that may necessitate changes to the notices. It may be helpful to delay the effective date of the FCRA rule in order to give credit unions a chance to incorporate any changes that may be made next year.
Delaying the effective date will also give NCUA and credit unions an opportunity to evaluate the distribution of the initial privacy notices in 2001. Credit unions will then be able to evaluate, and possibly improve, their compliance efforts and NCUA will have an opportunity to provide any necessary clarification before the FCRA rule becomes effective.
To address these concerns, we propose that the effective date of the FCRA rule be delayed until 2002. Specifically, we suggest that credit unions not be required to incorporate the FCRA rule into their privacy notices until the time that they are required to deliver their 2002 annual privacy notice.
This request for the delay in the effective date is made merely to protect credit unions from possible specific violations of this new FCRA rule that they may not be aware of until they have completed, or nearly completed, the privacy notices that will be delivered prior to July 1.
In the alternative, we offer another recommendation that we believe would significantly facilitate compliance with the notice requirements of both the FCRA and of Part 716. We recommend that the agency make the effective date of the FCRA and Part 716 regulations July 16, 2001. Although this would be a mere two weeks, such action would ease the compliance burden credit unions face by allowing them to send Privacy Act and FCRA notices with their second quarter statements. Since the FCRA rules will not be finalized until February 2001 at the earliest, it is becoming very difficult for credit unions to meet a first quarte3r mailing date. With the July 1, 2001 effective date, credit unions simply cannot use second quarter statement mailings. It would substantially reduce costs and compliance burdens if NCUA would delay the compliance date two weeks beyond July 1. Because July 1 is not a statutory deadline, we believe NCUA, in coordination with the other regulators, has full authority to implement such a reasonable change, and we urge the agency to give this recommendation every consideration
Definition of "Transactions" and "Experiences"
Under the FCRA, disclosures as to "transactions" or "experiences" between the consumer and the person making the disclosures may be made without having to provide the consumer with the right to opt out of those disclosures. The proposed FCRA incorporates these provisions but does not define the terms "transactions" and "experiences."
We believe it is important that the FCRA rule provide a definition or other guidance as to the meaning of these terms. This will provide credit unions with the necessary guidance that they need in order to determine the types of credit reporting information that need to be disclosed in the notices. The information that must be included in the notice depends, to a great extent, on how these terms are defined and without such guidance, there will likely be confusion and differing interpretations. As an example, NCUA could clarify whether payment histories and account transfers would be considered transaction or experience information.
In an effort to provide this guidance, we encourage NCUA to review the sample notice included in the proposed rule because we believe that some of the references to information subject to the opt out should actually be considered information regarding transactions or experiences. For example, the sample notice references "information we obtain from your application." We believe that this information is clearly obtained as a result of a transaction or experience between a credit union and its member. Another reference is to "information we obtain to verify representations made by you." Again, it appears that as a normal practice, a credit union would invariably have this information as a result of a transaction or experience between the credit union and the member.
Combined Notices for Privacy and FCRA Disclosures
As noted above, the proposed FCRA rule includes a sample notice for credit unions to use in order to make the disclosures as required under the FCRA. If credit unions use this sample notice, they will also need a separate notice to comply with the privacy rule that was issued earlier this year.
Our review of the FCRA rule does not indicate that a separate notice for FCRA disclosures is required. However, we are concerned that the inclusion of the sample notice will lead some credit unions to believe that they need to use this separate notice in order to comply with the rule.
To minimize this confusion, it would be helpful if the FCRA rule would incorporate language from the Board Action Memorandum indicating that it would be acceptable for credit unions to use a combined notice that would serve to comply with both the FCRA and the privacy rule.
Our review of both the sample FCRA notice and the sample clauses included in the privacy rule indicates some duplication that some credit unions may want to minimize. For example, with regard to information that is shared, the FCRA sample notice refers to "information we obtain from your application" and "information we obtain from a consumer report." These are nearly identical to the categories used in the sample clauses that were included in the privacy rule. Again, credit unions should have the ability to decide whether to use a separate or combined notice. Although a combined notice may eliminate some confusion, some credit unions may still decide that it would be preferable to use a separate notice that is similar to the one included in the FCRA rule.
Examples in the FCRA Rule
Credit unions appreciate the examples that have been provided in the proposed FCRA rule. We do, however, have suggestions for clarifying or improving some of these examples.
The definition of "clear and conspicuous" in § 706.8(b) of the proposed rule includes examples, such as "clear and concise sentences" and "everyday words." We are concerned that these examples may not provide enough guidance. Although credit unions will certainly strive the use the simplest language possible, it would be helpful if NCUA provided more concrete examples.
Without such concrete examples, it would appear to us that incorporating the other examples under "clear and conspicuous, " such as short sentences, concrete words, and avoiding double negatives, would achieve the desired result. If this is not the case, then credit unions will need additional examples of "clear and concise sentences" and "everyday words."
We are also aware that there has been a significant effort among the federal agencies in recent years to use "plain English" during the rulemaking process. If federal agencies have internal guidance on the use of "plain English" that has additional, concrete examples of any aspect of the term "clear and conspicuous," we believe it would be helpful if this information was publicly available.
We have also noticed what we believe to be an inconsistency among the examples given in the definition of "clear and conspicuous." Two of the examples given are "avoid legal and highly technical business terminology" and "avoid explanations that are imprecise." It appears that one example prohibits imprecise language while another seems to prohibit precise language that is often associated with "legal and technical terminology." Credit unions will either be confused by this possible inconsistency or will have great difficulty in drafting language that will, in essence, have to be "precise, but not too precise."
Section 706.13(d)(2) provides examples to clarify how credit unions may provide an opt out notice so that it can be accessed or retained at a later time. We suggest adding another example to clarify that this obligation is satisfied for notices delivered electronically if they are provided in such a way that a member can download or print the notice within a reasonable amount of time after it is delivered.
30-day Time Period for Responding to an Opt Out Notice
The proposed rule provides a 30-day time period as an example of a reasonable time that a member should have to respond to an opt out notice before information is disclosed to affiliates. NCUA has asked for comment on certain issues with regard to this example, including whether there are other situations in which a different time period should be noted as an example and whether the opt out notice to members should specifically reference a 30-day time period.
There may be some circumstances where a different time period should also be considered reasonable. For example, when making a collateralized loan, such as a car loan, there is a need to arrange for insurance for the collateral as soon as possible, and this may require the sharing of information that would be covered under the proposed rule. In these situations, it may very well be reasonable to provide a three-day time period that matches the current three-day right of rescission. Otherwise, the result may be a significant delay in completing the transaction. We believe members will understand the need for this shorter time period and will realize that avoiding such a significant delay is also in their best interests.
We believe credit unions should decide for themselves whether the notice should specifically mention the 30-day time period. Again, we want to emphasize that the 30-day period is an example of a reasonable time period and is not a statutory or a regulatory requirement in the proposed rule. Requiring notices to indicate the 30-day period would, in essence, make this time period a regulatory requirement.
As indicated in the preceding paragraph, there may be situations in which a different time period may also be considered reasonable. In these situations, it may be burdensome for credit unions to insert different time periods in their notices for different situations. For these reasons, credit unions should have the flexibility to decide whether to indicate the time period, whatever that may be, or to not include the time period.
On a similar issue, NCUA requested comment on whether the opt out notice should specifically indicate that members may opt out at any time. Again, credit unions are in the best position to decide for themselves whether this is necessary. We do not believe the absence of such information will deter members from requesting at a future time that certain information should no longer be shared with affiliates.
Specific Time Period for Credit Unions to Comply with Opt Out Requests
If a member chooses to opt out of the sharing of information to affiliates, the proposed rule requires credit unions to comply with this request as soon as "reasonably practicable." NCUA has requested comment as to whether a specific time period should be deemed to be "reasonably practicable."
We believe that it is not necessary to impose a specific time period. Credit unions need flexibility in general and also need flexibility because different time periods may be appropriate in certain situations. Various transactions have different reporting cycles, and it would be helpful if credit unions have the flexibility to time their compliance with an opt out request to these reporting cycles. Also, the privacy rule issued earlier this year does not include a specific time period. Consistency between the privacy rule and the FCRA rule would make it easier for credit unions to comply with both rules.
FCRA Rule and the E-Sign Act
NCUA has requested comment as to whether the proposed rule regarding electronic communications should be modified as a result of the E-Sign Act. The proposed rule allows credit unions to provide an electronic means to opt out if the member agrees to the electronic delivery of information. This includes members receiving the notice explaining the right to opt out and allowing members to exercise the right to opt out through electronic means.
We believe that the E-Sign Act provides guidance that should be adopted in the FCRA rule. As a general matter, the E- Sign Act provides that requirements to provide written notices may be satisfied if the notices are delivered in electronic form. This means that an electronic notice can actually be considered a written notice.
However, the proposed does not seem to embrace this concept. For example, §706.13 of the proposed rule states that "[y] ou must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically."
This seems to imply that an electronic notice cannot be the equivalent of a written notice. This and similar provisions could be written to state that "[y]ou must deliver an opt out notice so that each consumer can reasonably be expected to receive actual notice in writing. This writing may be in electronic form, if the consumer agrees."
It may also be helpful if the rule adopts or refers to the E-Sign definition of "electronic," which is "relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities." This definition is intended to be general in recognition of the significant changes that may occur as technology evolves. We believe that the FCRA rule should adopt this general approach.
The E-Sign Act also provides general guidance regarding the appropriate means for the proper identification of the person that is agreeing to receive information electronically. Both the E-Sign Act and the Uniform Electronic Transactions Act (UETA) stress that the surrounding facts and circumstances must be analyzed in order to determine the most effective means for proper identification. We believe that the FCRA rule should provide similar guidance and should adopt the flexible approach that is incorporated in both the E-Sign Act and UETA.
The proposed rule will require members to acknowledge the receipt of the electronic notice that informs them of the right to opt out of certain information sharing among affiliates. We are concerned that this could be read to require members to send an electronic or written reply, which could include sensitive information, such as account or Social Security numbers. This burden and the risk that others may view this sensitive information would outweigh the benefit of electronic communication.
To alleviate this concern, NCUA should include guidance, either in the rule or by way of an example, to indicate that it would be acceptable for members to acknowledge receipt of information by clicking an acknowledgement box that follows a clear and properly worded inquiry from the credit union. This is an increasingly common practice under the E-Sign Act and should be noted in the FCRA rule.
Under the proposed rule, members may exercise their right to opt out electronically. The rule allows members to use a form that can be mailed electronically or a "process" at a web site. It may be helpful to include the clicking of an appropriate dialog box as an example of a "process," similar to the example noted above regarding the clicking of an acknowledgement box for receipt of electronic information.
Disclosure of Information for Purposes of Data Processing and Executing Transactions
This issue is extremely important to a number of credit unions. It is our understanding that under the FCRA, financial institutions are permitted to share information with affiliates for the purpose of processing accounts or transactions without the need to provide consumers with notice and the right to opt out. This is based on current statutory language and regulatory interpretations that have been issued in the past by the Federal Trade Commission (FTC).
We urge NCUA to confirm this exception with the FTC and to clarify in the final rule that notices are not necessary in these situations or for other administrative situations, such as disclosures to affiliates for the purpose of preparing loans for sale in the secondary market. Otherwise, credit unions may interpret the FCRA rule as requiring notices under these circumstances, and this could result in significant disruptions to their systems and practices. Perhaps the best approach here would be to incorporate the similar exceptions that already exist in the privacy rule that was issued earlier this year.
As with most proposed rules, NCUA has requested comment on whether the rule is understandable. While the content of the rule is well written, we believe NCUA should evaluate the practice of using questions as subheadings. We are concerned that this practice affects the readability of the rule. Using questions may make it more difficult for the reader to understand exactly how the rule is organized. Because of this difficulty, the reader may find the reading of the rule to be slow and sometimes awkward.
Thank you for the opportunity to comment on NCUA's proposed rule on the FCRA. If Board members or agency staff have questions about our comments, please contact me at (202) 218-7795.
Assistant General Counsel