CUNA Regulatory Comment Call
May 24, 2004
Disposal of Consumer Report Information
(Major Rule Applies to Federal Credit Unions)
- The Fair and Accurate Credit Transactions (FACT) Act that was enacted this past December requires the Federal Trade Commission (FTC) and the financial institution regulators to issue comparable rules regarding the proper disposal of consumer report information and records. The NCUA rule will only apply to federal credit unions (FCUs). FTC has recently issued a comparable rule that will apply to state-chartered credit unions. Click below for more information about the FTC rule: http://www.cuna.org/reg_advocacy/reg_call/rcc_050404.html
- The proposed rule will require the proper disposal of consumer information derived from consumer reports. The proposal also amends the current Guidelines for Safeguarding Member Information to address the disposal of consumer information in the same manner currently required for member information. Consumer information may or may not include member information as consumer information generally refers to information the credit union obtains on any individual that is derived from a consumer report while member information generally refers to nonpublic personal information about a member.
- The rule will be effective three months after the final rule is issued, which should be no later than December 4, 2004. FCUs will also have one year after the final rule is issued to amend contracts with service providers to incorporate the necessary requirements regarding the proper disposal of consumer information.
- Comments on the NCUA proposed rule are due by July 12, 2004. Please submit your comments to CUNA by June 30, 2004. If you provide comments directly to NCUA, please reference FACT Act Disposal Rule.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org and to Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule, or you may access it on the Internet at the following address: http://www.ncua.gov/NCUABoard/draftboardactions/Item2.pdf.
President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). The FACT Act also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a federal commission that will coordinate financial education efforts at the national, state, and local levels.
The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act: http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html
DESCRIPTION OF THE PROPOSED RULE
The proposed rule will require FCUs to develop, implement, and maintain appropriate measures to properly dispose of consumer information derived from consumer reports. The term consumer information means any record of an individual, or compilation of records, in any form, paper or electronic, that is a consumer report or derived from a consumer report that is maintained by the FCU for a business purpose. The definition of consumer report is the same as currently used under FCRA, which generally means credit, reputation, personal, or mode of living information used to establish eligibility for credit, employment, and for certain other purposes. Information derived from consumer reports but not identifying any specific consumers would not be covered under the proposed rule.
The proposed rule will not require FCUs to maintain or destroy consumer records beyond those imposed by any other law. The rule will also not affect provisions of other laws requiring FCUs to maintain or destroy such records.
The proposed rule is intended to be similar to the rules that will be issued by the other financial institution regulators and the rule recently issued by the FTC that will apply to state-chartered credit unions, as well as similar to the information security provisions of the Gramm-Leach-Bliley Act and other comparable federal laws. FCUs are expected to implement these measures in a manner consistent with NCUAs Guidelines for Safeguarding Member Information (Guidelines). This is to ensure that controls for the proper disposal of consumer information are integrated in the FCUs information security programs, as described in the Guidelines. Click below for more information about these Guidelines: http://www.cuna.org/reg_advocacy/member/analysis/ncua_012301.html
The proposal also amends the current Guidelines to address the disposal of consumer information in the same manner that the Guidelines address member information. Consumer information may or may not include member information as consumer information generally refers to information the credit union obtains on any individual, member or nonmember, that is derived from a consumer report while member information generally refers to nonpublic personal information about a member.
Although no methods of disposal are required, such disposal should ensure that the records are unreadable, such as by shredding or other means. As for computer-based records, credit unions should note that residual information often remains after data is erased and additional methods may be needed to dispose of the information.
FCUs are expected to review how their service providers dispose of consumer information and, if necessary, should require service providers to develop appropriate measures for the proper disposal of the information. If warranted, FCUs are also expected to monitor the service providers to confirm that they have satisfied their contractual obligations.
The rule will be effective three months after the final rule is issued, which should be no later than December 4, 2004. Credit unions will have one year after the final rule is issued to amend contracts with service providers to incorporate the necessary requirements regarding the proper disposal of consumer information.
QUESTIONS TO CONSIDER REGARDING NCUAs PROPOSAL ON DISPOSAL OF CONSUMER INFORMATION
(NCUA has specifically requested comment on most of the issues raised in these questions.)
- The term consumer information includes information derived from consumer reports.
NCUA interprets this to mean all information from a consumer report, including information
that results in whole or in part from manipulation of the information and such information
that has been combined with other types of information. This would require each affiliate
of the credit union, namely CUSOs, to properly dispose of any such information it receives
from the credit union. It would also require proper disposal even if it is no longer considered
a consumer report under the FCRA, which would happen if the consumer has been given notice and
elected not to opt-out of the information sharing with the affiliate, or CUSO. Do you agree with
this interpretation? Should it be further clarified, by example or otherwise?
- The definition of consumer information includes the qualification that the information be
maintained or possessed for a business purpose. NCUA interprets this to include any commercial
purpose for which the FCU might maintain or possess consumer information. Do you agree with this
- FCUs will be required to implement measures to properly dispose of consumer information within
three months after the final rule is issued. FCUs will also be required to modify contracts with
service providers as necessary to include these new requirements within one year after the final
rule is issued. Is this sufficient? If not, how much more time would be needed?
- The Guidelines will be amended to state that FCUs should develop, implement, and maintain, as
part of its existing information security program, appropriate measures for the proper disposal of
consumer information in a manner consistent with the disposal of member information. Does this
sufficiently explain the obligations of FCUs to modify their existing information security programs
to include measures for the proper disposal of consumer information? Is the term proper disposal
sufficiently clear? Would a more specific standard provide better guidance and/or better protection
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com