User login

Privacy Notification Change May Affect Your Credit Union

Sending out annual privacy notices is a costly regulatory requirement that can also create confusion with members. While the 113th Congress did not pass privacy notification legislation by year-end 2014, there is an alternative option available to Missouri’s credit unions via a new rule from the Consumer Financial Protection Bureau (CFPB). 

Background: Under the Gramm-Leach-Bliley Act (GLBA), financial institutions are required to send annual privacy notices to customers/members, describing whether and how it shares consumers’ nonpublic personal information. If the institution does share this information, it must notify consumers of their right to opt out and inform them how to do so.   

CFPB Change:

The CFPB amended the privacy regulation to provide an alternative delivery method (allowing financial institutions to post the policy online instead of mailing it out), as long as the following criteria are met: 

  1. The credit union does not disclose members’ nonpublic personal information to nonaffiliated third parties in a manner that triggers opt-out rights (i.e. nonpersonal information is only shared as allowed by one of the exceptions to the regulation);
  2. The credit union does not include on its annual privacy notice, the Fair Credit Reporting Act (FCRA) affiliate sharing opt-out notice;
  3. The requirements of the FCRA Affiliate Marketing Rule, if applicable, have been satisfied previously, or the annual privacy notice is not the only notice provided to satisfy this requirement;
  4. The information included in the privacy notice has not changed since the member received the previous notice (whether initial, annual, or revised), other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and
  5. The credit union used the model privacy form provided in the regulation.

If the credit union meets these five criteria and chooses to use the alternative delivery method to provide members with an annual privacy notice, the credit union must:

1.  Inform members in a clear and conspicuous manner, not less than annually, on an account statement, coupon book, or a notice or disclosure required or allowed by law:

a.that your privacy notice is available on your website;
b.the privacy notice will be mailed to members who request it by telephone;
c.include a statement that the credit union’s privacy notice has not changed; and
d.include a specific Web address that takes the member directly to the page where the privacy notice is posted and a telephone number for the member to request that it be mailed.
 
Sample Notice:
Privacy Notice – Federal law requires us to tell you how we collect, share and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number].
 

2.  Post your current privacy notice in a continuous, clear and conspicuous manner on a page of your website on which the only content is the privacy notice, without requiring a login name, password, or similar steps or agreeing to any conditions to access the page; and

3.  Mail your current privacy notice to members who request it by telephone within ten days.

If your credit union chooses not to use the new disclosure method, you must continue to deliver annual privacy notices to its customers using other delivery methods. 

The final rule is only available to credit unions that do not share information with nonaffiliated third parties. In other words, credit unions that share information with nonaffiliated third parties cannot take advantage of this final rule. 

For additional information, see the final rule in its entirety. 

Questions?

The Missouri Credit Union Association’s (MCUA) Compliance staff will review the CFPB rule during the January MCUA compliance call, which takes place on January 21 at 3 p.m. You can also call the MCUA Regulatory Compliance Department at 800-446-3620.

Information Request:

Missouri’s members of Congress have asked MCUA advocacy about the impact of the CFPB rule on credit unions in our state, including how many will be able to utilize the new option. Please contact Amy McLard, MCUA SVP of Advocacy, at amclard@mcua.org or 314.542.1370 with the following information:

  1. Credit union name
  2. Will your credit union adopt the CFPB notice option?
  3. If no, please share why.

Your response will help with privacy notification bill efforts in the 114th Congress.