CUNA Regulatory Comment Call

October 20, 2000

NCUA's Proposed Rule on the Fair Credit Reporting Act

(Major Rule - Applies to Federal Credit Unions)


Comments are due by December 26. Please submit your comments to CUNA by December 19. Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at or to Assistant General Counsel Jeffrey Bloch at; or mail them to Mary or Jeff in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information.


Enacted in 1970, the FCRA sets standards for the collection, communication, and use of information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Until 1996, many institutions avoided disclosing such information to affiliated companies because it could be considered a "consumer report," which would therefore subject these institutions to the significant obligations that the FCRA imposes on consumer reporting agencies.

The FCRA was amended in 1996 to exclude specific types of information-sharing with affiliates from the definition of "consumer report." Institutions that make these disclosures are not subject to the obligations that are imposed on consumer reporting agencies. These disclosures include information as to transactions or experiences between the consumer and the person making the disclosure. These disclosures also include other information covered by the FCRA, provided that the institution provides the consumer with notice and an opportunity to "opt out," or direct that the information not be communicated. Click here for CUNA's summary of the FCRA.

The 1996 amendments to the FCRA prohibited the regulators from implementing regulations. The Gramm-Leach-Bliley Act that was enacted last year repealed this prohibition and authorized the regulators to issue rules as necessary in order to carry out the purposes of the FCRA.

By July 1, 2001, financial institutions will be required to distribute privacy notices to consumers. Click here for CUNA's Final Analysis of these privacy rules. Among other items, these notices must include the disclosures that are required under the FCRA. In order to facilitate compliance with these requirements, the regulators, including NCUA, are now issuing proposed rules to provide guidance on the affiliate information-sharing requirements of the FCRA to assist financial institutions in providing the disclosures as required under the privacy rules. The proposed rule is intended to conform the notice and opt out requirements of the FCRA with the privacy rules to the extent possible.

The regulators, including NCUA, recognize that the FCRA raises other significant issues and they plan to address them early next year in an advance notice of proposed rulemaking. The regulators will solicit comment at that time and will then issue proposed rules.



The proposed rule includes many definitions. The following are the most significant:

Affiliate - As with the privacy rules, this is generally defined as control by one entity over another, or entities under common control. For federal credit unions, affiliates will be credit union service organizations (CUSOs) if at least 67% of the CUSO is owned by credit unions, regardless of the percentage owned by any one credit union.

Clear and Conspicuous - This is defined as reasonably understandable and designed to call attention to the notice. Here are examples:

Additional examples for websites include:

Consumer Report - This generally tracks the FCRA and includes communication by a consumer reporting agency that bears on a consumer's credit worthiness, credit standing, credit capacity, character, reputation, personal characteristics, or mode of living which may be used to establish eligibility for the purposes authorized under the FCRA, including:

This definition excludes information regarding transactions and experiences between the consumer and the person making the report. The terms "transactions" and "experiences" are not defined. The definition excludes the other information covered under the FCRA if the consumer receives notice and is provided the opportunity to opt out.

Consumer Reporting Agency - This means entities that assemble or evaluate information on consumers for the purpose of furnishing consumer reports to third parties.

Opt Out Information - This is the term used to describe the "other" information covered under the FCRA that may be disclosed to affiliates if the consumer receives notice, an opportunity to opt out, and does not exercise that right to opt out. This includes information described above under the definition of "consumer report" but, again, excludes information regarding transactions and experiences between the consumer and the person making the report.

Contents of the Opt Out Notice

As noted above, financial institutions incur substantial obligations under the FCRA if the information they share with affiliates is considered a consumer report. The "opt out information," as defined above, will not be considered a consumer report if the institution: 1) provides the consumer with an opt out notice; 2) gives the consumer a reasonable opportunity and means to opt out before the information is shared with affiliates; and 3) the consumer has not opted out.

The opt out notice must be "clear and conspicuous" and must explain the following:

This notice may include future categories of information and future categories of affiliates that may receive the information. The notice may also provide the consumer with the option of an opt out that covers a portion of the information or certain affiliates.

The requirements regarding the categories of the opt out information will be satisfied if the categories of information are listed, along with a few examples. Categories of information may include information from the following sources:

Examples within these categories may include the consumer's income, credit score or credit history, open lines of credit, employment history, marital status, and medical history.

The notice may not include individually identifiable health information if there are not illustrative examples of this information. Credit unions and other financial institutions must also comply with all other aspects of the Health Insurance Portability and Accountability Act of 1996.

The requirements regarding the categories of affiliates will be satisfied if the categories of affiliates are listed, along with a few examples. Categories may include financial service providers and non-financial companies.

Opportunity and Means for Opting Out

The proposed rule will require credit unions to provide members with a "reasonable" time to opt out before the information is disclosed. Providing at least 30 days after the notice is delivered or mailed will be considered reasonable. For electronic notices, this will mean at least 30 days after the member acknowledges receipt of the notice. Members will always have the right to opt out at any time, even if it is beyond a 30-day period, although this will not affect the information that was disclosed prior to the receipt of the opt out request.

Credit unions must provide a "reasonably convenient" method of opting out. Examples include:

Credit unions may require members to opt out through a specific means, if it is reasonably convenient. Credit unions may not require the member to write a letter and credit unions may not send a revised opt out notice that only refers to a check-off box that was included in a previous notice.

Delivery of the Opt Out Notice

Credit unions must deliver the opt out notice so that each member can reasonably be expected to receive actual notice in writing, or electronically if the member agrees. The notice must be provided so that it can be retained or obtained in writing by the member at a later time, or electronically if the member agrees. Examples of permissible delivery methods include:

Credit unions may not just post a sign in a branch or office or publish advertisements containing the notice. Notices may not be sent electronically to a member who does not obtain a product or service electronically. An oral description of the notice is not sufficient if it is not provided in conjunction with a written or electronic notice. Credit unions may provide a joint notice with one or more affiliates if the notice identifies the affiliates and the notice is accurate with respect to these affiliates.

For joint accountholders, credit unions may provide a single notice to all of the joint accountholders but each of these accountholders has the separate right to opt out. If one of the accountholders opts out, the credit union has two options. It may apply that opt out to all of the accountholders or apply it to just that specific accountholder. However, the opt out notice must explain which option applies. If the opt out only applies to the specific accountholder, the credit unions must still permit a joint accountholder to opt out on behalf of the other accountholders and must also permit joint accountholders to opt out on a single response.

Credit unions may not require all accountholders to opt out before implementing any opt out direction. If an opt out is received from a specific accountholder that does not apply to the other accountholders, the credit union may disclose information concerning these other accountholders.

Other Requirements of the Proposed Rule

The following are the additional requirements of the proposed rule:


(NCUA is specifically requesting comment on the issues raised in these questions.)

Eric Richard • General Counsel • (202) 508-6742 •
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •