Compliance Blog

What type of member information can be shared? Who can we share member’s information with? When can we share member’s information? NAFCU’s Compliance Team regularly fields these types of questions from our members. So, let’s get back to the basics and review the general principles of Privacy of Consumer Financial Information, which are found in  Regulation P, which  implements the Gramm-Leach Bliley Act of 1999 (“GLBA”).

It may seem complicated at first, but the main concept of Regulation P is that a credit union must create and disclose with members their privacy policies. In particular, the regulation requires credit unions to provide a notice which describe the information it gathers from its members and shares with third parties and to give members the opportunity to opt-out of having their information shared. Alternatively, a credit union can satisfy an exception within section 1016.13 through 1016.15 of Regulation P which we will get to later.

What information can be shared?

Regulation P contains a general prohibition against sharing nonpublic personal information. But what is nonpublic personal information? Section 1016.3(p) of Regulation P defines nonpublic personal information as personally identifiable financial information, including any information that is derived using any personally identifiable financial information that is not publicly available. This includes information provided on a loan application, a credit card, account balance information, payment history, credit or debit card purchase information, and even the fact that an individual is a member of the credit union. This does not include information that a credit union reasonably believes is publicly available such as member’s phone number that could be found in the white pages.

Who can information be shared with?

Regulation P, section 1016.10 prohibits a credit union from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party. What is a nonaffiliated third party? A nonaffiliated third party is any person or company that is not controlled by or under common control with the credit union. For example, an automobile dealership would be a nonaffiliated third party to the credit union who provided a member with an auto loan.

When can nonpublic personal information be shared with nonaffiliated third parties?

There are two ways that a credit union can share nonpublic personal information with nonaffiliated third parties. First, if a member was provided the initial privacy policy, had a reasonable opportunity to opt out and the member didn’t opt out, under section 1016.10, a credit union could share a members nonpublic personal information with nonaffiliated third parties. Model privacy notices can be found in the Appendix to Regulation P. The limits on what the third party can do with the information is contained in section 1016.11(b).

Second, if the credit union satisfied one of the three exceptions from sections 1016.13 through 1016.15 of Regulation P, then sharing will be permitted. Section 1016.13 allows for sharing of a member’s information for service providers and joint marketing. This exception requires that the credit union disclose this in their initial privacy policy and have a contractual agreement with the third party that prohibits it from using the information for any purpose other than for the purposes for which it received the information. Section 1016.14 allows for sharing of member information for processing and servicing transactions. This exception allows a credit union to disclose member information freely to carry out routine business transactions such as mailing account statements, collecting a share draft, or processing payments. Lastly, section 1016.15 contains other general exceptions such as, consumer consent, a person acting in a fiduciary capacity, a credit union complying with a properly authorized subpoena or with Federal, state, or local laws. In these scenarios, a credit union is permitted to disclose member information to nonaffiliated third parties. As noted above, section 1016.11 contains important limitations on information that can be shared.

What is the McHenry’s Data Privacy Act?

The Chairman of the House Financial Services Committee, Patrick McHenry, introduced a bill (the Data Privacy Act of 2023) last month which would expand financial data privacy laws. This bill would build on the Gramm-Leach-Bliley Act (“GLBA”) and ultimately create a national privacy standard which would provide consumers more control over the collection and use of their personal information. Among other things, the bill would:

• Require financial companies to offer consumers more disclosures regarding their financial data, including when a consumer’s nonpublic personal information is being collected and why they are collecting it;
• Allow consumers to request that their data stop being collected and for the records to be deleted;
• Expand the definition of a financial institution;
• Expand the definition of nonpublic information;
• Provide consumers access to data, including the data being held, how their data is used, and which entities the financial institutions share consumer data with; and
• Requires preemption of state privacy laws, which would create a national standard.

While this bill is in the early stages, NAFCU will continue to watch its progression and provide updates as they occur.

Burbon, Barns, Bluegrass, and BSA School! 

Deepen your understanding of BSA's anti-money laundering requirements and the regulations Credit Unions must comply with at NAFCU’s highly regarded BSA School in Louisville, Kentucky August 15 – 17, 2023. Save $200.00 with the code BSASAVINGS for a limited time. 

Risk Management Seminar | Louisville, KY  

Understand and prepare your credit union for the most severe internal and external threats. Plus, earn your NAFCU Certified Risk Manager (NCRM) credential when you pass the exam -- or recertify by attending (no exam required!).