CUNA Regulatory Comment Call

February 28, 2000

NCUA’s Proposed Privacy Rules



Please feel free to fax your comments to Jeffrey Bloch at 202-371-8240; e-mail them to Jeff at or to Kathy Thompson at; or mail them to Jeff or Kathy in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information.


I. Definitions

The proposed rules provide a number of definitions. The following are of particular interest:

Affiliate - This means any company that controls, is controlled by, or under common control with another company. An affiliate of a federal credit union will be a credit union service organization (CUSO) "controlled" by the credit union. "Control" means either control of 25% of any class of stock of another company; control over the election of a majority of directors, trustees, or general partners of another company; or power to exercise a controlling influence over the management or policies of that other company.

Nonaffiliated third party - This means any person or entity except an affiliate or joint employee of the credit union and the nonaffiliate.

Nonpublic personal information - This generally includes all personally identifiable financial information or any listing, description, or grouping of consumers that is derived by using personally identifiable financial information. Although "publicly available information" is excluded, the information is not public unless it is actually obtained from a public source. Other agencies are proposing an alternative where the information will be considered public if it could be obtained from a public source, even if it is obtained from another source. However, under either scenario, the fact that an individual is a credit union member will be considered "nonpublic."

Personally identifiable financial information - This generally means information obtained by a credit union in connection with providing a financial service or product to a consumer. This may include information not previously thought of as "financial," such as health status.

Publicly available information - This includes information available from government records, information required to be disclosed by law, and information contained in "widely available media," which includes print, television, radio, and Internet sites that are available without a password or special fee.

II. Initial Notice of Privacy Policies

An initial notice of the privacy policy must be provided prior to the time that a "continuing relationship" with the consumer is established. This will usually occur when an individual applies for membership. There will also be situations where a nonmember will have a continuing relationship with the credit union. This may occur when a nonmember is a guarantor on a loan, a joint accountholder, establishes a share account at a low-income designated credit union, or where a credit union owns or services a nonmember’s loan.

A continuing relationship is not established by engaging in isolated transactions, such as when a nonmember uses a credit union’s ATM. If the continuing relationship is not established, the initial notice must be provided to the consumer prior to the time that the credit union discloses nonpublic personal information to a nonaffiliated third party. An initial notice under these circumstances will not be required if such information is not disclosed or if such disclosure is allowed under certain exceptions, as described in Section VII below.

Oral descriptions of the information in the notice will not be permitted. In the case of a continuing relationship, the initial notice may be given after the establishment of such a relationship if: 1) the credit union assumes the loan from another institution; or 2) the credit union and the consumer orally agree to enter into the continuing relationship and the consumer agrees to receive the notice at a later time. If a credit union sells a loan but keeps the servicing rights, the credit union will still have a continuing relationship with the borrower.

The initial notice must generally be sent to the consumer. Posting the notice in a branch lobby will not be acceptable. The notice may be sent by e-mail if the consumer agrees and may be posted on a website if the consumer is required to acknowledge receipt prior to obtaining a financial service or product.

III. Annual Notice of Privacy Policies

An annual notice of privacy policies must be provided to members and others with a continuing relationship with the credit union until the time that the relationship is terminated. The annual notice must be sent in the same manner as the initial notice.

IV. Content of the Initial and Annual Notice

The initial and annual notice must provide the following information:

As described in Section VII below, certain nonpublic personal information may be disclosed to nonaffiliated third parties without providing consumers with notice and the right to opt out. For these disclosures, the initial and annual notices need only state that such disclosures are made as permitted by law. The notices may also be based on future categories of information that may be disclosed and future categories of affiliates and nonaffiliated third parties to whom the information may be disclosed to. If the credit union does not intend to disclose nonpublic personal information to affiliates or nonaffiliated third parties, the credit union may just simply state this in the notice.

V. Limitations on Disclosure of Nonpublic Personal Information to Nonaffiliated Third Parties

Unless an exception applies, as described in Section VII below, nonpublic personal information cannot be disclosed to a nonaffiliated third party unless:

The credit union may provide the opt out notice by mail but the individual must be given a "reasonable" time to opt out. A 30-day period would satisfy this requirement. Although the credit union may then disclose the information, the consumer may always exercise an opt out at a later time and the credit union must then stop disclosing the information as soon as it is reasonably practicable. However, this may result in information being disclosed to nonaffiliated third parties until the time that the opt out is implemented. For isolated transactions, such as purchase of a traveler’s check, reasonable time is sufficient if the opt out notice is provided at the time of the transaction and the individual is requested, as a necessary part of the transaction, to decide whether to opt out before completing the transaction.

An opt out exercised by a consumer will apply to all information collected, regardless of when the information is collected. The credit union may also allow consumers to exercise a partial opt out of certain nonpublic personal information or certain nonaffiliated third parties.

VI. Form and Method of Providing the Opt Out Notice

The opt out notice must: 1) state that the credit union may or will disclose information to a nonaffiliated third party; 2) state that the individual has a right to opt out of that disclosure; and 3) provide a reasonable means to exercise the opt out option. The notice will be adequate if it identifies the categories of nonpublic personal information that is or may be disclosed in the future and states that the consumer can opt out of the disclosure.

The opt out notice cannot be provided orally. Reasonable means of providing such notice may include check-off boxes, self-addressed stamped replies, or e-mail notifications if the consumer agrees. Requiring consumers to send their own letters will not be considered reasonable. If the credit union orally agrees to enter into a continuing relationship, the opt out may be provided within a reasonable time afterwards if the consumer agrees. The opt out notice may be provided with the initial notice. If it is provided at a later time, a copy of the initial notice must be included.

The following must be provided if the credit union wants to disclose information other than as described in the initial notice:

The credit union may then disclose the information if the consumer does not opt out within the reasonable time. A revised notice will be required if disclosing a new category of nonpublic personal information to a nonaffiliated third party or disclosing such information to a new category of nonaffiliated third party.

Again, the right to opt out may be exercised at any time and the credit union must promptly comply with the opt out. The opt out will be effective until revoked by the consumer either in writing or electronically.

VII. Exceptions to the Opt Out Requirements

A. Service Providers and Joint Marketing

The opt out requirements will not apply when the credit union provides nonpublic personal information about a consumer to a nonaffiliated third party that performs services for the credit union or functions on the credit union’s behalf. However, the credit union must:

The services performed by a nonaffiliated third party under this exception may include the marketing of the credit union’s own products or services or the marketing of financial products or services offered under joint agreements with other financial institutions. "Joint agreement" means a contract where the parties jointly offer, endorse, or sponsor a financial product or service.

B. Transaction Processing

The opt out requirements will also not apply if disclosure of nonpublic personal information is necessary or appropriate in order to administer or enforce a transaction that:

For this exception and the exceptions listed below, the initial and annual notices must still be provided to those with a continuing relationship with the credit union. When referencing these exceptions, the notices need only state that such disclosures are made as permitted by law. Such notices will not have to be provided to those without a continuing relationship with the credit union.

C. Other Exceptions

The following are additional exceptions:

VIII. Reuse of Information

In general, if a credit union receives nonpublic personal information from a nonaffiliated financial institution, it may not then be disclosed to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the receiving credit union. If the credit union discloses nonpublic personal information to a nonaffiliated third party, that third party may not further disclose that information to an entity not affiliated with these two parties, unless the disclosure would have been permitted if made directly by the credit union.

Under either situation described above, information received under an exception described in Section VII above may only be used for the purpose of that exception.

IX. No Disclosure of Account Number Information for Marketing Purposes

Other than to a consumer reporting agency, credit unions will not be permitted to disclose account numbers or access codes for credit cards, share accounts, or transaction accounts to any nonaffiliated third parties for marketing purposes.

X. Relation to State Law

State laws, regulations, orders, opinions will still be valid to the extent that they are not inconsistent with these new privacy rules. Inconsistency does not include State protections that are greater than those provided by these new privacy rules, as determined by the Federal Trade Commission, after consultation with NCUA.

XI. Effective Date

The effective date of this rule is contemplated to be November 13, 2000, although NCUA has flexibility to extend this date. Within thirty days after the effective date, credit unions must provide initial notices to those that had a continuing relationship with the credit union as of the effective date.


(Most of these are issues raised by NCUA)

Eric Richard • General Counsel • (202) 508-6742 •
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •