Compliance Blog

Posted by Anthony Demangone

Quite a few NAFCU members have called us on privacy issues.  It seems that quite a few credit unions are in the midst of creating a new privacy disclosure using the new model privacy disclosure format. Quite a few callers are confused as to what a non-affiliated third party is, or when a member gets the right to opt-out of information sharing.  Other callers simply do not have a good handle on how they handle and share member information.

With that in mind, here are some general thoughts for those who are drafting privacy disclosures.

• Your privacy policy drives the disclosure.  To fill out the form correctly, a credit union has to know how it shares information.  This should be spelled out in a policy, and that policy should be shared with anyone who has the ability to share member information.  Does your credit union share information with non-affiliated third parties outside of one of the exceptions to providing an opt-out?  Don't look at me.  That's something you must be able to answer yourself.  
• Think about having a privacy officer.  I just made that up, but it might make sense.  You have many different parts of your credit union that share member information with third parties - hopefully in concert with your privacy policy.  When someone wants to do something new, such as share information with another company to market something, are they reviewing the privacy policy to see if the new practice is kosher? Are they reporting the proposed information sharing relationship to the person who is managing the privacy disclosure? Having a central person to manage information sharing would help to keep everyone on the same page.
• Shameless plug. If you’re interested in having NAFCU print and deliver your privacy notice after you’ve customized it based on your privacy policy, you click here to learn more. 
• Here are some aids that might help you as you put together your model disclosures:
  • NCUA's Small Credit Union Privacy Compliance Guide.  This resource provides a wonderful overview of NCUA's privacy rule, and it reviews basic privacy concepts that are fundamental to understanding the regulation.  Keep in mind that this guide was written before the model form was created, so please ignore any discussion in the guide concerning how to construct a privacy notice.
  • The FDIC's Model Privacy Form Compliance Guide.  The FDIC did a nice job of discussing issues related to the new model form, and they put together a 7 page compliance guide.  Very handy!
  • NCUA's Consumer Privacy FAQ document. There are a ton of gems in there.  Such as ....

Q. I offer consumer checking accounts. I notify my customers that, among other things, I make disclosures as permitted by law. My checking account customers deposit checks made payable to my customer but drawn on a financial institution unaffiliated with me. My practice is to write my customer’s account number on the back of the deposited check to facilitate its processing. The check itself then goes to the maker’s financial institution, with my customer’s account number on the check. Is this a disclosure of nonpublic personal information that would be subject to opt out requirements or the prohibition against sharing account numbers?

A. No. The opt out provisions do not apply to disclosures in connection with servicing or processing a financial product or service that a consumer requests or authorizes. Nor do they apply to disclosures that are required, or are a usual, appropriate, or acceptable method in connection with settling, processing, clearing, transferring, reconciling or collecting amounts charged, debited or otherwise paid. §§ ___.14(a), ___.14(b)(2)(vi)(A). Also, because the account number is added to the check solely for use in processing the check and is not used in connection with marketing by a third party, this disclosure is not prohibited by the ban on disclosing account numbers for marketing purposes. § ___.12.

Here's one final thought.  The new model privacy form is not mandatory.  Said another way, you don't have to use it. But it is the only way to enjoy "safe harbor" protection beginning in 2011.  Moving to the new model form may not be easy, but always keep your eye on the prize(the safe harbor).

***

The early bird pricing for the November 3 NAFCU "Annual Compliance Roundup" webcast ends today. Hey - I won't be offended if you don't sign up.  I understand that training budgets are limited.  But if you do plan to sign up, by all means do so today. You'll save $100.