Back to Basics: To Share or Not to Share…That is the Question
What type of member information can be shared? Who can we share member’s information with? When can we share member’s information? NAFCU’s Compliance Team regularly fields these types of questions from our members. So, let’s get back to the basics and review the general principles of Privacy of Consumer Financial Information, which are found in Regulation P, which implements the Gramm-Leach Bliley Act of 1999 (“GLBA”).
It may seem complicated at first, but the main concept of Regulation P is that a credit union must create and disclose with members their privacy policies. In particular, the regulation requires credit unions to provide a notice which describe the information it gathers from its members and shares with third parties and to give members the opportunity to opt-out of having their information shared. Alternatively, a credit union can satisfy an exception within section 1016.13 through 1016.15 of Regulation P which we will get to later.
What information can be shared?
Regulation P contains a general prohibition against sharing nonpublic personal information. But what is nonpublic personal information? Section 1016.3(p) of Regulation P defines nonpublic personal information as personally identifiable financial information, including any information that is derived using any personally identifiable financial information that is not publicly available. This includes information provided on a loan application, a credit card, account balance information, payment history, credit or debit card purchase information, and even the fact that an individual is a member of the credit union. This does not include information that a credit union reasonably believes is publicly available such as member’s phone number that could be found in the white pages.
Who can information be shared with?
Regulation P, section 1016.10 prohibits a credit union from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party. What is a nonaffiliated third party? A nonaffiliated third party is any person or company that is not controlled by or under common control with the credit union. For example, an automobile dealership would be a nonaffiliated third party to the credit union who provided a member with an auto loan.
When can nonpublic personal information be shared with nonaffiliated third parties?
What is the McHenry’s Data Privacy Act?
The Chairman of the House Financial Services Committee, Patrick McHenry, introduced a bill (the Data Privacy Act of 2023) last month which would expand financial data privacy laws. This bill would build on the Gramm-Leach-Bliley Act (“GLBA”) and ultimately create a national privacy standard which would provide consumers more control over the collection and use of their personal information. Among other things, the bill would:
- Require financial companies to offer consumers more disclosures regarding their financial data, including when a consumer’s nonpublic personal information is being collected and why they are collecting it;
- Allow consumers to request that their data stop being collected and for the records to be deleted;
- Expand the definition of a financial institution;
- Expand the definition of nonpublic information;
- Provide consumers access to data, including the data being held, how their data is used, and which entities the financial institutions share consumer data with; and
- Requires preemption of state privacy laws, which would create a national standard.
While this bill is in the early stages, NAFCU will continue to watch its progression and provide updates as they occur.
Burbon, Barns, Bluegrass, and BSA School!
Deepen your understanding of BSA's anti-money laundering requirements and the regulations Credit Unions must comply with at NAFCU’s highly regarded BSA School in Louisville, Kentucky August 15 – 17, 2023. Save $200.00 with the code BSASAVINGS for a limited time.
Risk Management Seminar | Louisville, KY
Understand and prepare your credit union for the most severe internal and external threats. Plus, earn your NAFCU Certified Risk Manager (NCRM) credential when you pass the exam -- or recertify by attending (no exam required!).