Compliance Blog

Written by Loran Jackson, Regulatory Compliance Counsel

Hi compliance friends! Since we all spend about 25 hours per day online, let’s take a look at some of the content posted there…. policies and notices! Credit unions attempt to keep many policies and notices in a form that is easily accessible to members, which may sometimes include being hosted on the credit union’s website. We get plenty of questions about which policies are required or expected to be posted on a credit union’s website (as opposed to being sent by carrier pigeon). Some of these include: privacy policies, funds availability, notices about third-party links, suspension of services and financial statements.

Privacy Policy

In general, credit unions are required by Reg P to deliver annual privacy notices to members and revised notices if the credit union’s policy changes. For sending annual and revised notices, section 1016.9 provides general delivery requirements. This section does not provide one universal method of delivering notices, but requires notices to be delivered “so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.” Therefore, posting notices on the website is only permitted if doing so would meet this standard. Regulation P contains illustrations of delivery methods that meet this standard. For example, posting notices online may be permissible for members who conduct transactions electronically, or receive e-statements. Those members can reasonably be expected to see an online notice if it is placed on one of the pages they access to conduct online transactions or see statements. However, if the credit union is aware that members do not participate in online banking, the credit union may need to the send the privacy policy in a form more suitable to its members, such as the good old-fashioned U.S. Postal Service. Credit unions may choose multiple ways of delivering the privacy notice, like posting it online along with sending it with printed statements. Additionally, the privacy policy should be available in writing upon request by a member. Therefore, having a direct link to the policy may be a convenient way to fulfill this request if the requesting member agrees to receive the policy electronically.

Funds Availability Policy

According to Reg CC, sections 229.15-229.18, credit unions are required to post a notice of the funds availability policy where it can be seen at the time of deposit, and to potential members prior to opening an account. The rules regarding notice prior to account opening require credit unions to provide disclosures prior to accepting an initial deposit to open an account. For notice disclosures required at the time of any other deposit, credit unions are required to post the notice at any location where its employees receive deposits, on deposit slips, and at ATMs. Although the regulation does not explicitly require an online notice, the appropriate form of providing the funds availability policy may depend on where the deposit is made. For example, if a potential member makes their account opening deposit online, it may be appropriate to provide the funds availability policy on a page they access before making their deposit. The commentary to section 229.18 regarding teller windows and ATMs emphasizes that credit unions are expected to place the policy “in a place where consumers seeking to make deposits are likely to see it before making their deposits.” If members are able to make deposits online, it may be a reasonable decision to include the funds availability policy on a page where a member could make a deposit. Additionally, the funds availability policy should be made available upon request by a member. Therefore, having a direct link to the policy may be a convenient way to fulfill this request if the requesting member consents  to receiving the policy electronically. In some circumstances, the member’s account agreement may provide sufficient consent (see commentary to 229.15(a)).

Third-Party Links Notice

This NCUA letter to credit unions explains the best practices for credit unions when using third-party links. In short, the letter explains that the NCUA expects credit unions to have clear policies to address due diligence, regular website reviews and reputation risks of having its website associated with a third party’s website. While posting an online policy or notice regarding third-party links is not required by federal regulation, NCUA’s letter explains that credit unions are strongly encouraged to include a clearly written, conspicuous notice. This notice may address the fact that members are leaving the credit union’s website, and include disclaimers regarding the credit union’s responsibility over products that may be offered on the third-party site. As a precaution, some credit unions include a notice with an opportunity for the member to continue on to the third-party site or go back to the credit union’s site.

Suspension of Services and Nonparticipation Policies

Many credit unions have procedures in place for those not-so-friendly, not-so-cooperative members. Before a credit union may suspend services, NCUA requires a suspension of services policy be reduced to writing and provided to all members "so that members are aware of it." NCUA has not provided guidance regarding what notice members must have in order to be sufficiently "aware" of the policy, except that it must be provided before it can be enforced. For expulsion by a nonparticipation policy, section 1764(b) requires credit unions to create a nonparticipation policy that is adopted by the board of directors. If the credit union and its board of directors and sent to all members at least 30 days before it becomes effective. Because there is not real guidance on how to deliver these suspension or nonparticipation policies or make members “aware” of them, credit unions might need to make a risk-based decision on whether online notices are sufficient for their members.

Financial Statements

The FCU model bylaws require a monthly financial statement showing the condition of the credit union as of the end of the month, including a summary of delinquent loans, to be posted in the credit union. However, there is no requirement that it be available online. Therefore, making these statements available online would be an additional member service.

Some other common policies may not be required to be published under federal regulation, but are often kept online as a member service, and allow credit unions to avoid use of carrier pigeons. These policies offer clarification of the obligations between the credit union and its members. These may include security policies, online banking agreements, Visa and MasterCard policies, and website accessibility policies. From a reputational risk standpoint, some credit unions choose to keep these policies publicly accessible to benefit members and potential members.