CUNA Regulatory Comment Call


March 28, 2002

Study on Information Sharing Practices


(NOT A MAJOR RULE)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com and to Assistant General Counsel Jeffrey Bloch at jbloch@cuna.com; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6032, if you would like a copy of the study, or you may access it here.

BACKGROUND

The GLBA generally requires financial institutions to provide a clear and conspicuous privacy notice and to allow consumers to “opt out” of the disclosure of nonpublic personal information to a nonaffiliated third party, unless certain exceptions apply. The GLBA also requires the financial institution regulators to conduct a study of the information sharing practices among financial institutions and their affiliates and nonaffiliated third parties. Upon completion, the study will be submitted to Congress, along with any recommendations for possible legislative or administrative actions.

DESCRIPTION OF THE STUDY

The following are the topics and questions that have been included in this study of information sharing practices. (For credit unions, affiliates will generally refer to CUSOs and the term “consumer” refers to credit union members.)

  1. Purposes for the sharing of confidential consumer information with affiliates or with nonaffiliated third parties:
    a. What types of information do financial institutions share with affiliates?
    b. What types of information do financial institutions share with nonaffiliated third parties?
    c. Do financial institutions share different types of information with affiliates than with nonaffiliated third parties? If so, please explain the differences in the types of information shared with affiliates and with nonaffiliated third parties.
    d. For what purposes do financial institutions share information with affiliates?
    e. For what purposes do financial institutions share information with nonaffiliated third parties?
    f. What, if any, limits do financial institutions voluntarily place on the sharing of information with their affiliates and nonaffiliated third parties? Please explain.
    g. What, if any, operational limitations prevent or inhibit financial institutions from sharing information with affiliates and nonaffiliated third parties? Please explain.
    h. For what other purposes would financial institutions like to share information but currently do not? What benefits would financial institutions derive from sharing information for those purposes? What currently prevents or inhibits such sharing of information?
  2. The extent and adequacy of security protections for such information:
    a. Describe the kinds of safeguards that financial institutions have in place to protect the security of information. Please consider administrative, technical, and physical protections, as well as the protections that financial institutions impose on their third-party service providers.
    b. To what extent are the safeguards described above required under existing law, such as the GLBA?
    c. Do existing statutory and regulatory requirements protect information adequately? Please explain why or why not.
    d. What, if any, new or revised statutory or regulatory protections would be useful? Please explain.
  3. The potential risks for consumer privacy of such sharing of information:
    a. What, if any, potential privacy risks does a consumer face when a financial institution shares the consumer's information with an affiliate?
    b. What, if any, potential privacy risks does a consumer face when a financial institution shares the consumer's information with a nonaffiliated third party?
    c. What, if any, potential risk to privacy does a consumer face when an affiliate shares information obtained from another affiliate with a nonaffiliated third party?
  4. The potential benefits for financial institutions and affiliates of such sharing of information (specific examples, means of assessment, or evidence of benefits would be useful):
    a. In what ways do financial institutions benefit from sharing information with affiliates?
    b. In what ways do financial institutions benefit from sharing information with nonaffiliated third parties?
    c. In what ways do affiliates benefit when financial institutions share information with them?
    d. In what ways do affiliates benefit from sharing information that they obtain from other affiliates with nonaffiliated third parties?
    e. What effects would further limitations on such sharing of information have on financial institutions and affiliates?
  5. The potential benefits for consumers of such sharing of information (specific examples, means of assessment, or evidence of benefits would be useful):
    a. In what ways does a consumer benefit from the sharing of such information by a financial institution with its affiliates?
    b. In what ways does a consumer benefit from the sharing of such information by a financial institution with nonaffiliated third parties?
    c. In what ways does a consumer benefit when affiliates share information they obtained from other affiliates with nonaffiliated third parties?
    d. What, if any, alternatives are there to achieve the same or similar benefits for consumers without such sharing of such information?
    e. What effects, positive or negative, would further limitations on the sharing of such information have on consumers?
  6. The adequacy of existing laws to protect consumer privacy:
    a. Do existing privacy laws, such as GLBA privacy regulations and the Fair Credit Reporting Act (FCRA), adequately protect the privacy of a consumer's information? Please explain why or why not.
    b. What, if any, new or revised statutory or regulatory protections would be useful to protect consumer privacy? Please explain.
  7. The adequacy of financial institution privacy policy and privacy rights disclosure under existing law:
    a. Have financial institution privacy notices been adequate in light of existing requirements? Please explain why or why not.
    b. What, if any, new or revised requirements would improve how financial institutions describe their privacy policies and practices and inform consumers about their privacy rights? Please explain how any of these new or revised requirements would improve financial institutions' notices.
  8. The feasibility of different approaches, including opt-out and opt-in, to permit consumers to direct that such information not be shared with affiliates and nonaffiliated third parties:
    a. Is it feasible to require financial institutions to obtain consumers' consent (opt-in) before sharing information with affiliates in some or all circumstances? With nonaffiliated third parties? Please explain what effects, both positive and negative, such a requirement would have on financial institutions and on consumers.
    b. Under what circumstances would it be appropriate to permit, but not require, financial institutions to obtain consumers' consent (opt-in) before sharing information with affiliates as an alternative to a required opt out in some or all circumstances? With nonaffiliated third parties? What effects, both positive and negative, would such a voluntary opt-in have on consumers and on financial institutions? (Please describe any experience of this approach that you may have had, including consumer acceptance.)
    c. Is it feasible to require financial institutions to permit consumers to opt out generally of having their information shared with affiliates? Please explain what effects, both positive and negative, such a requirement would have on consumers and on financial institutions.
    d. What, if any, other methods would permit consumers to direct that information not be shared with affiliates or nonaffiliated third parties? Please explain their benefits and drawbacks for consumers and for financial institutions of each method identified.
  9. The feasibility of restricting sharing of such information for specific uses or of permitting consumers to direct the uses for which such information may be shared:
    a. Describe the circumstances under which or the extent to which consumers may be able to restrict the sharing of information by financial institutions for specific uses or to direct the uses for which such information may be shared?
    b. What effects, both positive and negative, would such a policy have on financial institutions and on consumers?
    c. Please describe any experience you may have had with this approach.
Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com