CUNA Regulatory Comment Call
October 20, 2000
NCUA's Proposed Rule on the Fair Credit Reporting Act(Major Rule - Applies to Federal Credit Unions)
- Under the Fair Credit Reporting Act (FCRA), information regarding a consumer's transactions and experiences may be disclosed to affiliates without incurring the substantial obligations that would otherwise be required under the FCRA. Other information covered under the FCRA may also be disclosed to affiliates without incurring these obligations if the consumer receives notice and the right to "opt out" of the disclosure.
- The privacy rules required under the Gramm-Leach-Bliley Act require that privacy notices include the disclosures that are required under the FCRA. The financial institution regulators are now issuing proposed rules to provide guidance on these affiliate information-sharing requirements of the FCRA to assist financial institutions in providing the disclosures as required under the privacy rules. The National Credit Union Administration's (NCUA's) proposed rule is similar to those of the other regulators.
- The proposed rules are intended to conform the notification and opt out requirements of the FCRA with the privacy rules to the extent possible.
- NCUA's proposed rule includes a sample notice to help credit unions comply with these FCRA requirements.
- As with the privacy rules that NCUA approved in May, a federal credit union must provide an opt out notice to each borrower or loan guarantor only if the credit unions intends to communicate the information to an affiliate.
- Although all federally insured credit unions must follow NCUA's privacy rules, only federal credit unions are covered under this proposed rule regarding the FCRA requirements.
Comments are due by December 26. Please submit your comments to CUNA by December 19. Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at email@example.com or to Assistant General Counsel Jeffrey Bloch at firstname.lastname@example.org; or mail them to Mary or Jeff in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information.
Enacted in 1970, the FCRA sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Until 1996, many institutions avoided disclosing such information to affiliated companies because it could be considered a "consumer report," which would therefore subject these institutions to the significant obligations that the FCRA imposes on consumer reporting agencies.
The FCRA was amended in 1996 to exclude specific types of information-sharing with affiliates from the definition of "consumer report." Institutions that make these disclosures are not subject to the obligations that are imposed on consumer reporting agencies. These disclosures include information as to transactions or experiences between the consumer and the person making the disclosure. These disclosures also include other information covered by the FCRA, provided that the institution provides the consumer with notice and an opportunity to "opt out," or direct that the information not be communicated. Click here for CUNA's summary of the FCRA.
The 1996 amendments to the FCRA prohibited the regulators from implementing regulations. The Gramm-Leach-Bliley Act that was enacted last year repealed this prohibition and authorized the regulators to issue rules as necessary in order to carry out the purposes of the FCRA.
By July 1, 2001, financial institutions will be required to distribute privacy notices to consumers. Click here for CUNA's Final Analysis of these privacy rules. Among other items, these notices must include the disclosures that are required under the FCRA. In order to facilitate compliance with these requirements, the regulators, including NCUA, are now issuing proposed rules to provide guidance on the affiliate information-sharing requirements of the FCRA to assist financial institutions in providing the disclosures as required under the privacy rules. The proposed rule is intended to conform the notice and opt out requirements of the FCRA with the privacy rules to the extent possible.
The regulators, including NCUA, recognize that the FCRA raises other significant issues and they plan to address them early next year in an advance notice of proposed rulemaking. The regulators will solicit comment at that time and will then issue proposed rules.
DESCRIPTION OF THE PROPOSED RULE
The proposed rule includes many definitions. The following are the most significant:
Affiliate - As with the privacy rules, this is generally defined as control by one entity over another, or entities under common control. For federal credit unions, affiliates will be credit union service organizations (CUSOs) if at least 67% of the CUSO is owned by credit unions, regardless of the percentage owned by any one credit union.
Clear and Conspicuous - This is defined as reasonably understandable and designed to call attention to the notice. Here are examples:
- Clear and concise sentences, paragraphs, and sections.
- Short sentences and bullet points.
- "Every day" words and use of the active voice.
- Absence of multiple negatives.
- Absence of legal and technical terminology to the extent possible.
- Absence of imprecise explanations that could be subject to different interpretations.
- Plain language headings.
- Typeface and size that are easy to read.
- Wide margins and ample line spacing.
- Boldface or italics for key words.
- If combined with another document, such as a newsletter, use of different type sizes, styles, and graphics, such as shading and sidebars.
Additional examples for websites include:
- Labeling the notice in such a way so as to convey its importance and relevance and placing it on a page that is accessed frequently, such as a page on which transactions are conducted.
- Using of text or cues to encourage scrolling that may be needed in order to view the entire notice.
- Minimizing other elements on the webpage, such as text, graphics, links, or sounds, so that it does not detract attention from the notice.
Consumer Report - This generally tracks the FCRA and includes communication by a consumer reporting agency that bears on a consumer's credit worthiness, credit standing, credit capacity, character, reputation, personal characteristics, or mode of living which may be used to establish eligibility for the purposes authorized under the FCRA, including:
- credit or insurance for personal, family, or household purposes; or
- employment purposes
This definition excludes information regarding transactions and experiences between the consumer and the person making the report. The terms "transactions" and "experiences" are not defined. The definition excludes the other information covered under the FCRA if the consumer receives notice and is provided the opportunity to opt out.
Consumer Reporting Agency - This means entities that assemble or evaluate information on consumers for the purpose of furnishing consumer reports to third parties.
Opt Out Information - This is the term used to describe the "other" information covered under the FCRA that may be disclosed to affiliates if the consumer receives notice, an opportunity to opt out, and does not exercise that right to opt out. This includes information described above under the definition of "consumer report" but, again, excludes information regarding transactions and experiences between the consumer and the person making the report.
Contents of the Opt Out Notice
As noted above, financial institutions incur substantial obligations under the FCRA if the information they share with affiliates is considered a consumer report. The "opt out information," as defined above, will not be considered a consumer report if the institution: 1) provides the consumer with an opt out notice; 2) gives the consumer a reasonable opportunity and means to opt out before the information is shared with affiliates; and 3) the consumer has not opted out.
The opt out notice must be "clear and conspicuous" and must explain the following:
- the categories of opt out information about the consumer that are communicated to affiliates;
- the categories of affiliates that receive the information;
- the consumer's ability to opt out; and
- a reasonable means for the consumer to opt out.
This notice may include future categories of information and future categories of affiliates that may receive the information. The notice may also provide the consumer with the option of an opt out that covers a portion of the information or certain affiliates.
The requirements regarding the categories of the opt out information will be satisfied if the categories of information are listed, along with a few examples. Categories of information may include information from the following sources:
- consumer's application;
- credit report;
- obtained by verifying representations made by the consumer; and
- provided by another person regarding employment, credit, or other relationships with the consumers.
Examples within these categories may include the consumer's income, credit score or credit history, open lines of credit, employment history, marital status, and medical history.
The notice may not include individually identifiable health information if there are not illustrative examples of this information. Credit unions and other financial institutions must also comply with all other aspects of the Health Insurance Portability and Accountability Act of 1996.
The requirements regarding the categories of affiliates will be satisfied if the categories of affiliates are listed, along with a few examples. Categories may include financial service providers and non-financial companies.
Opportunity and Means for Opting Out
The proposed rule will require credit unions to provide members with a "reasonable" time to opt out before the information is disclosed. Providing at least 30 days after the notice is delivered or mailed will be considered reasonable. For electronic notices, this will mean at least 30 days after the member acknowledges receipt of the notice. Members will always have the right to opt out at any time, even if it is beyond a 30-day period, although this will not affect the information that was disclosed prior to the receipt of the opt out request.
Credit unions must provide a "reasonably convenient" method of opting out. Examples include:
- designating check-off boxes in a prominent position on the forms included with the opt out notice;
- including a reply form with the opt out notice;
- providing an electronic means to opt out, if the member agrees, which may include a form that can be e-mailed or a process on a website; or
- a toll-free telephone number that the member may call to exercise the opt out.
Credit unions may require members to opt out through a specific means, if it is reasonably convenient. Credit unions may not require the member to write a letter and credit unions may not send a revised opt out notice that only refers to a check-off box that was included in a previous notice.
Delivery of the Opt Out Notice
Credit unions must deliver the opt out notice so that each member can reasonably be expected to receive actual notice in writing, or electronically if the member agrees. The notice must be provided so that it can be retained or obtained in writing by the member at a later time, or electronically if the member agrees. Examples of permissible delivery methods include:
- hand delivery to the member;
- mailing to the member's last known mailing address, which will be sufficient even if the member moves and does not receive the notice; or
- for members who agree to receive the notice electronically, posting the notice on a website for the member who obtains a product or service and agrees to receive the notice electronically.
Credit unions may not just post a sign in a branch or office or publish advertisements containing the notice. Notices may not be sent electronically to a member who does not obtain a product or service electronically. An oral description of the notice is not sufficient if it is not provided in conjunction with a written or electronic notice. Credit unions may provide a joint notice with one or more affiliates if the notice identifies the affiliates and the notice is accurate with respect to these affiliates.
For joint accountholders, credit unions may provide a single notice to all of the joint accountholders but each of these accountholders has the separate right to opt out. If one of the accountholders opts out, the credit union has two options. It may apply that opt out to all of the accountholders or apply it to just that specific accountholder. However, the opt out notice must explain which option applies. If the opt out only applies to the specific accountholder, the credit unions must still permit a joint accountholder to opt out on behalf of the other accountholders and must also permit joint accountholders to opt out on a single response.
Credit unions may not require all accountholders to opt out before implementing any opt out direction. If an opt out is received from a specific accountholder that does not apply to the other accountholders, the credit union may disclose information concerning these other accountholders.
Other Requirements of the Proposed Rule
The following are the additional requirements of the proposed rule:
- If information is disclosed other than as described in the notice, the credit union must provide a revised notice in compliance with the requirements of this rule.
- Credit unions must comply with an opt out request as soon as "reasonably practicable." The rule does not provide a specific time period.
- An opt out from a member applies until revoked by that member and will continue to apply even if the membership relationship is terminated. The member must revoke in writing or electronically. A new notice and opportunity to opt out must be provided if the individual terminates and then re-establishes the member relationship.
- The proposed rule prohibits discrimination against a member who elects to opt out of information-sharing with affiliates. This includes denying credit, varying credit terms, or applying more stringent underwriting standards.
QUESTIONS TO CONSIDER REGARDING NCUA's PROPOSED RULE ON THE FAIR CREDIT REPORTING ACT
(NCUA is specifically requesting comment on the issues raised in these questions.)
- The proposed rule uses examples to provide guidance on how to comply in specific fact situations. Is this
appropriate or should another mechanism be used, especially one that can accommodate future changes in technology and
practice? If examples are appropriate, should additional or different examples be used? What should those examples be?
- The proposed rule requires clear and conspicuous notices. Do you have concerns about complying with the clear and
conspicuous standard when these FCRA opt out notices are included with the initial and annual privacy notices that will be
delivered beginning July 1, 2001?
- Should the opt out notice actually state how long the member has to respond before the credit union discloses
information to affiliates? Should the notice state that the credit union will wait 30 days before disclosing information?
Should the notice actually state that the member may opt out at any time? Would the benefit outweigh the burden? (The
privacy rules do not contain this disclosure requirement.)
- The proposed rule contains examples of categories of information and specific items of opt out information that can
be included in the opt out notice. To what extent can these categories be treated as consistent with similar categories in
the privacy rules that were issued this past May (such as information from consumer reporting agencies) in order to reduce
compliance burden and member confusion?
- The proposed rule provides a 30-day time period as an example of a reasonable time that a member should have to
respond to an opt out notice before information is disclosed to affiliates. Are there other situations where a different
time period should be noted by way of an example?
- Should the provisions in the proposed rule regarding electronic communications be changed in light of the Electronic
Signatures in Global and National Commerce Act (the E-Sign law)? (The E-Sign law addresses the use of electronic signatures
and records, which may be used if consumers consent and if the other requirements of the E-Sign law are met.)
- If a member chooses to opt out, the proposed rule requires credit unions to comply with this request as soon as
"reasonably practicable." Should the rule include a specific time period that would be deemed "reasonably practicable?"
- Other comments?
Eric Richard General Counsel (202) 508-6742 email@example.com |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 firstname.lastname@example.org
Jeffrey Bloch Assistant General Counsel (202) 508-6732 email@example.com
Catherine Orr Senior Regulatory Counsel (202) 508-6743 firstname.lastname@example.org