Compliance Blog

Note: If you are reading this post via the email delivery subscription option - you may have noticed a delay the past couple of days. We're aware of the issue but a solution isn't readily apparent. You can always find the daily blog post directly on the blog's website (just scroll down past the "Welcome Blog Post").

So, if you need your daily fix and haven't seen the email - be sure to check the blog's main website as the post is usually up there by 6 a.m.  Have a great day!

***

Written by Steve Van Beek

One of the pieces of NAFCU's five point plan for regulatory relief is Operational Improvements for Credit Unions - including a specific push for elimination of unnecessary privacy notices. Yesterday, the House took an important step toward this goal by passing H.R. 749.

Now, you might be having déjà vu. Didn't the House pass a similar bill back in December?  They sure did - but since this is a new Congress, they needed to introduce and pass the bill again. And, now attention turns back to the Senate - which failed to pass similar legislation in 2012.

Below is a summary from our December 14th blog post that I've updated slightly with the information from yesterday's action.

***

The Elimination Privacy Notice Confusion Act & What it Means to Your Credit Union

Summary.  The bill - H.R. 749 - was passed by the House on Tuesday and now awaits action in the Senate.

What will the bill do?  The bill would remove the annual privacy notice requirement for certain financial institutions.  

How do we find out if we would be one of these "certain" financial institutions?  Ah, please join me (again!!) as we wander down the rabbit hole called Regulatory & Legislative Complexity (the middle name is "&" for those keeping score at home).     

The Start.  The annual privacy notice requirement comes from Section 503 of Gramm-Leach-Bliley (15 USC 6803):"

"(a) Disclosure required

At the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution’s policies and practices with respect to..."  (emphasis added)."

The Bill.  The bill would add subsection (f) to Section 503 of Gramm-Leach-Bliley:

‘‘(f) EXCEPTION TO ANNUAL NOTICE REQUIREMENT.—A financial institution that—

‘‘(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b), and

‘(2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this subsection, shall not be required to provide an annual disclosure under this subsection until such time as the financial institution fails to comply with any criteria described in paragraph (1) or (2)."

Ok - so there are two main prongs to obtaining this potential exception.  We'll take them in reverse order. 

Prong 2 - No Changes Since Your Last Privacy Policy.  This is the easier prong.  If you've changed your privacy policy, you'd need to send the annual notice so that members are aware of your new sharing practices.    

Prong 1 - Shares Information Only in Accordance with Exceptions.  This one is where things get a bit dicey.  I'll spoil the ending by letting you know that if this bill becomes law - the CFPB should be amending Regulation P and will have a great opportunity to provide clarity to everyone (credit unions, banks, consumers, etc).    

In order to satisfy Prong 1, credit unions need to share nonpublic personal information about their members "only in accordance with the provisions of subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b)."  But, what does that mean?   

These two provisions discuss the situations where credit unions can share nonpublic personal information with nonaffiliates without having to provide the member an opt-out.  

Section 502(b)(2) - 15 USC 6802(b)(2).  This provision outlines the exception for service providers and joint marketing agreements.  It is implemented in 12 CFR 1016.13 of Regulation P.  

Section 502(e) - 15 USC 6802(e).  This provision contains the general exceptions to the opt-out requirements.  Credit unions can share information with nonaffiliated third parties in these situations - such as to service or process a transaction or at the member's request - without needing to provide the member an opportunity to opt-out.  These exceptions are outlined in 12 CFR 1016.14 & 12 CFR 1016.15 of Regulation P.   

***

Confused?  The crux is that in order to satisfy Prong 1 your credit union would need to only share information with nonaffiliates in ways that do not trigger the requirement to provide members the right to opt-out.  Prong 2 is easier in that it will be met if you have had no changes to your privacy policy since your last mailing.  

Your Homework?  Check out whether your credit union's existing privacy policy requires you to provide members the right to opt-out because your credit union shares nonpublic personal information with nonaffiliated third parties.  

Outcome 1:  If you aren't currently required to provide the opt-out to members, this bill could provide some real regulatory relief as it could remove the requirement to send your privacy policy on an annual basis.

Outcome 2:  If you currently share with nonaffiliated third parties (outside of the exceptions discussed above) and are required to provide members the opt-out, check how many nonaffiliated third parties you share with.  How valuable are those relationships?  How does that compare with the regulatory cost (and printing costs and mailing costs) of sending the annual privacy notice?  

***

Reminder:  Keep in mind that this bill still needs to work its way through the Senate.  Additionally, the CFPB would need to amend Regulation P to implement these changes and provide clarity. And, as we discussed in yesterday's blog post - it isn't always a fast process.