Compliance Blog

NCUA's privacy rule is an interesting regulation.  We aren't allowed to share information with third parties without offering an opt-out, unless the sharing falls into one of three exceptions.  Some of those exceptions are less than clear, though.  Can you write the account number of your member on the back of checks?  Can you verify funds when other financial institutions call?  These are tough questions. 

A few weeks ago, I stumbled upon some guidance issued by the NCUA.  (What scares me is that I likely found this before, but just forgot that it existed.  Ugh.)  The guidance really clears up these issues. (Note that the citations refer to the applicable section of NCUA's privacy regulation, which is found at 12 C.F.R. Part 716.)

 Q. I made a loan to a consumer who defaulted. In trying to collect the bad loan, I wish to learn information to locate the defaulting borrower. I believe that a financial institution unaffiliated with me may have some helpful information about the borrower. If I were to ask that institution for information, I would disclose nonpublic personal information, such as the fact that I have a loan to a particular consumer. I previously notified my borrower that, among other things, I make disclosures as permitted by law. Must I allow my borrower to opt out of my question to the financial institution?

A. No. You may disclose nonpublic personal information to the financial institution without complying with the opt out provisions as necessary to enforce a consumer loan where the disclosure is required or is one of the lawful or appropriate methods to enforce your rights. § ___.14(b)(1).

 Q. We often receive phone calls from auto dealers or other financial institutions requesting loan pay-off amounts on our customers. May we respond to these requests without providing those members with a reasonable opportunity to opt out of that kind of disclosure?

A.Yes, if the disclosure is in connection with servicing or processing a financial product or service from the third party that the member has requested or authorized. In your case, for example, you may disclose loan pay-off information to a third party lender where your member seeks to refinance the loan with the other lender. Alternatively, you may disclose nonpublic personal information that is required, or is a usual, appropriate or acceptable method to carry out the transaction that the member has requested or authorized. § ___.14(a). This would be the case, for example, if the car dealer accepts your member's car as partial consideration for the purchase of another vehicle and wants to know the outstanding amount on the member's car loan with you.
As discussed in response to several of the questions above, you should be aware of the possibility that the caller may be attempting to obtain information about your member through false or fraudulent statements to you. Toward this end, you must ensure that you respond to the caller in accordance with the controls you have implemented as part of your information security program.

Q. I offer consumer checking accounts. I notify my members that, among other things, I make disclosures as permitted by law. My checking account members deposit checks made payable to my member but drawn on a financial institution unaffiliated with me. My practice is to write my member's account number on the back of the deposited check to facilitate its processing. The check itself then goes to the maker's financial institution, with my member's account number on the check. Is this a disclosure of nonpublic personal information that would be subject to opt out requirements or the prohibition against sharing account numbers?

A.No. The opt out provisions do not apply to disclosures in connection with servicing or processing a financial product or service that a member requests or authorizes. Nor do they apply to disclosures that are required, or are a usual, appropriate, or acceptable method in connection with settling, processing, clearing, transferring, reconciling or collecting amounts charged, debited or otherwise paid. §§ ___.14(a), ___(b)(2)(vi)(A). Also, because the account number is added to the check solely for use in processing the check and is not used in connection with marketing by a third party, this disclosure is not prohibited by the ban on disclosing account numbers for marketing purposes. § ___.12.

• Go here to see the NCUA source document for these questions and answers.  There is a lot of delicious, privacy goodness there.
• Go hereto view NCUA's Privacy Regulation.