CUNA Regulatory Comment Call

May 24, 2004

Disposal of Consumer Report Information
(Major Rule – Applies to Federal Credit Unions)


Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at and to Assistant General Counsel Jeff Bloch at; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule, or you may access it on the Internet at the following address:


President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). The FACT Act also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a federal commission that will coordinate financial education efforts at the national, state, and local levels.

The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act:


The proposed rule will require FCUs to develop, implement, and maintain appropriate measures to properly dispose of consumer information derived from consumer reports. The term “consumer information” means any record of an individual, or compilation of records, in any form, paper or electronic, that is a consumer report or derived from a consumer report that is maintained by the FCU for a business purpose. The definition of “consumer report” is the same as currently used under FCRA, which generally means credit, reputation, personal, or mode of living information used to establish eligibility for credit, employment, and for certain other purposes. Information derived from consumer reports but not identifying any specific consumers would not be covered under the proposed rule.

The proposed rule will not require FCUs to maintain or destroy consumer records beyond those imposed by any other law. The rule will also not affect provisions of other laws requiring FCUs to maintain or destroy such records.

The proposed rule is intended to be similar to the rules that will be issued by the other financial institution regulators and the rule recently issued by the FTC that will apply to state-chartered credit unions, as well as similar to the information security provisions of the Gramm-Leach-Bliley Act and other comparable federal laws. FCUs are expected to implement these measures in a manner consistent with NCUA’s Guidelines for Safeguarding Member Information (Guidelines). This is to ensure that controls for the proper disposal of consumer information are integrated in the FCUs information security programs, as described in the Guidelines. Click below for more information about these Guidelines:

The proposal also amends the current Guidelines to address the disposal of consumer information in the same manner that the Guidelines address member information. “Consumer information” may or may not include “member information” as “consumer information” generally refers to information the credit union obtains on any individual, member or nonmember, that is derived from a consumer report while “member information” generally refers to nonpublic personal information about a member.

Although no methods of disposal are required, such disposal should ensure that the records are unreadable, such as by shredding or other means. As for computer-based records, credit unions should note that residual information often remains after data is erased and additional methods may be needed to dispose of the information.

FCUs are expected to review how their service providers dispose of consumer information and, if necessary, should require service providers to develop appropriate measures for the proper disposal of the information. If warranted, FCUs are also expected to monitor the service providers to confirm that they have satisfied their contractual obligations.

The rule will be effective three months after the final rule is issued, which should be no later than December 4, 2004. Credit unions will have one year after the final rule is issued to amend contracts with service providers to incorporate the necessary requirements regarding the proper disposal of consumer information.

(NCUA has specifically requested comment on most of the issues raised in these questions.)

Eric Richard • General Counsel • (202) 508-6742 •
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •