Compliance Blog

Happy National Chocolate Cupcake Day! Go ahead and indulge in one of life’s greatest desserts. In fact, grab a cupcake or your favorite treat, something to drink (a cup of coffee as I like) and lets begin discussing the CFPB’s advisory opinion from last week which requires large credit unions to comply with  requests for information.

More specifically, section 1034(c) of the Dodd-Frank Act states that, subject to certain enumerated exceptions, credit unions “shall, in a timely manner, comply with a consumer request for information in the control or possession of [a large credit union] concerning the consumer financial product or service that the consumer obtained from [the credit union], including supporting written documentation, concerning the account of the consumer.” (Emphasis added). But what does this mean in practical terms? Let’s dig in.

First, it is important to note that section 1034(c) only applies to credit unions (and other institutions) that have more than $10 billion in assets and offers or provides consumer financial products or services, such as credit cards, share accounts, mortgage loan products and the like. Second, the law specifically refers to information “concerning the account,” the “consumer” in most cases will be a member of the credit union. For that reason, we will refer to consumers as “members” for the rest of this blog post. Keep in mind, however, that there may be some limited situations in which a non-member may have an account with a credit union – such as non-members who jointly own a share account with a member. Thus, some non-members may also request information under section 1034(c).  Third, while section 1034(c) became effective on July 21, 2011, the CFPB has stated that it does not intend to seek monetary relief for potential violations that occur prior to February 1, 2024.

We now know who this guidance applies to, next let’s discuss what this means for your credit union, how and when to comply, and what the applicable exceptions are. When a member requests information concerning their account, let’s say it is their credit card account, the credit union must respond in a timely manner with information in its possession or control. The bureau explained that the term “concerning” means “relating to” or “regarding” and consequently it encompasses a wide range of information about a member’s account, “even if [members] do not expressly invoke section 1034(c).” Furthermore, credit unions must provide account information to the extent it is in their “control or possession.” This includes both information that a credit union possesses such as balance in an account or information a credit union has the legal right or authority to obtain, such as information held by an affiliate or service provider.

Section 1034(c) also requires, upon request, “supporting written documentation” that will help members understand or verify information regarding their accounts. This means that a credit union may have to provide copies of past periodic statements or check images in the event a member asks for information about past transactions.  

While credit unions do not have to provide information in any particular manner, the CFPB believes a credit union would not be in compliance with section 1034(c) if it imposed requirements on member information that unreasonably impeded a member’s ability to request and receive information. For example, a credit union that charges a fee to respond to an information request is considered unreasonably impeding a member’s exercise of their rights. However, the CFPB also stated that if a member repeatedly requests the same information regarding their account, a credit union may charge a fee. Ultimately, it is dependent on the facts and circumstances surrounding the request. Other examples of violations would be if it provided incomplete or inaccurate information, if a member had excessively long wait times to make a request to a customer service representative, requiring consumers to submit the same request multiple times, requiring consumers to interact with a chatbot that does not understand or adequately respond to consumers’ requests, or directing consumers to obtain information that the institution possesses from a third party instead.

Section 1034(c) does not define what “a timely manner” means. Consequently, there is no specific time limit for responding to member inquiries. With that being said, the CFPB stated that it will “consider the specific circumstances and nature of a particular request to determine compliance” and that it will depend on “the complexity of the request and/or the difficulty of responding.” For example, if a member requests basic information that is readily available, a credit union could respond more quickly, compared to a request that is more complex or if the information is less accessible, it may take longer to respond. Regardless, the CFPB has noted that where both section 1034(c) and another Federal law or regulation applies to the same member information request, the timing requirements should not differ. Meaning a credit union that responds within the time requirements of the other Federal law will have met the timing requirements of section 1034(c).

Finally, let’s not forget the exceptions to this requirement. Below are the four exceptions when a credit union does not have to comply with a member request for information:

1.       Confidential commercial information, such as an algorithm used to derive credit scores;

2.       Information collected for the purpose of preventing fraud or money laundering, or detecting or making any report regarding other unlawful or potentially unlawful conduct;

3.       Information required to be kept confidential by any other provision of law; and

4.       Any nonpublic or confidential information, including confidential supervisory information.

💡 Online Compliance Training Subscriptions: Master the most challenging areas of CU compliance—all accessible by your entire credit union staff 24/7/365. Industry experts cover the hottest topics in a fast, convenient way. Subscribe now. 

🏫 Registration is now open for NAFCU’s 2024 Regulatory Compliance School 

Hurry – this conference sold out in record time in 2023! Join your peers in Arlington, VA March 18 – 22, 2024 for a fundamental course on CU compliance from A to Z. Plus, earn your NAFCU Certified Compliance Officer (NCCO) credential when you pass the optional exams.