Written by JiJi Bahhur, Director of Regulatory Compliance
On Monday, the CFPB announced that it finalized the privacy notices rule with the intent to promote more effective privacy disclosures from financial institutions to their customers/members. So now the answer to the burning question that so many credit unions have been asking: Does the credit union still need to send annual privacy notices to its members?
Yes, the credit union still needs to send annual privacy notices to its members; however, the CFPB’s final rule allows a credit union to post this annual privacy notice online instead of sending it out individually to members IF certain conditions are met.
Under the CFPB’s privacy notices final rule, credit unions will be able to post annual privacy notices online instead of distributing an annual paper copy to each individual member, if the credit union satisfies the following conditions:
- The credit union does not share its members’ nonpublic personal information with nonaffiliated third parties in a manner that triggers Gramm-Leach Bliley Act (GLBA) opt-out rights;
- The credit union does not include on its annual privacy notice information about certain consumer opt-out rights under section 603 of the Fair Credit Reporting Act (FCRA);
- The credit union’s annual privacy notice is not the only notice provided to satisfy the requirements of section 624 of the FCRA;
- The information included in the privacy notice has not changed since the member received the previous notice; and
- The credit union uses the model form provided in GLBA’s implementing Regulation P.
Credit unions that meet the conditions above and that choose to rely on this new method of delivering privacy notices are also required to:
- Convey at least annually on a regular consumer communication, such as a monthly billing statement, that the credit union’s privacy notice is available on its website and in paper and will be mailed upon request made to the provided toll-free number. This notice or disclosure would have to also include a specific web address that takes the member directly to the privacy notice;
- Post the credit union’s current privacy notice continuously on a page of its website that contains only the privacy notice, without requiring a login or any conditions to access the page; and
- Promptly mail (within 10 days) the credit union’s current privacy notice to consumers who request it by telephone.
If the credit union does not meet the conditions above or chooses not to use the new disclosures method, it will need to continue to deliver annual privacy notices to its members using other delivery methods.
This blog won’t address some of the nitty gritties within each of the conditions above, but I do want to make a few quick mentions:
- While this final rule constitutes an important step to achieving improved annual privacy notice requirements, it is only available to those credit unions that do not share information with nonaffiliated third parties. In other words, credit unions that do share information with nonaffiliated third parties cannot take advantage of this final rule.
- NAFCU has long advocated for the elimination of duplicative and costly annual privacy notices. In its comment letter, NAFCU noted that CFPB should not require credit unions to continuously post their privacy notices on their websites. NAFCU argued that this “continuously” verbiage would effectively require that credit unions’ website remain functional at all times. In the preamble to the final rule, the CFPB discussed NAFCU’s concerns and emphasized that this requirement “assumes that financial institutions will post the privacy notice on their websites so that the notice is available but for occasional or unavoidable interruptions, such as routine maintenance or unexpected malfunctions.” In other words, the credit union will not violate this requirement if its website temporarily malfunctions.
The final rule is available in its entirety here. NAFCU’s Regulatory Affairs team is working on a summary of the final rule, which when available, will be located here. Also, NAFCU’s compliance team intends to address this final rule in more depth in near future publications.
Seminar 2014 Wrap and Group Photo. Last week, NAFCU held its 2014 Regulatory Compliance Seminar. The program contained 4 days of the hottest credit union compliance topics, great speakers, and an amazing group of attendees. Below, I’ve shared a group photo taken during the event.
If you’re interested in attending Seminar next year, check out some of the details here.
Fall Fun with the Fam. I had to sneak this in. It’s not often that I can get the entire family to look at the camera at the same time!