Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel
Most credit unions are not used to thinking of themselves as the non-affiliated third party when it comes to information sharing and Regulation P… but the NAFCU Compliance Team has received a couple of questions lately about how credit unions are permitted to use and share nonpublic personal information that it receives from a nonaffiliated third party, such as from an automobile dealership through an indirect lending relationship. Regulation P does directly address how shared information can be used by those downstream in the flow of information sharing. The bottom-line: credit unions are limited by the restrictions on the entity upstream who shared the information with them.
Regulation P contains a general prohibition against sharing nonpublic personal information with nonaffiliated third parties. In order to share this information without violating the regulation's prohibition, an organization subject to Regulation P has two avenues it can take:
- Avenue 1 ― The organization can provide its privacy and opt out notice describing the organization's sharing practices, give consumers an opportunity to opt out of that sharing and honor any opt outs it receives; or
- Avenue 2 ― The organization can rely on an exception in sections 1016.13 through 1016.15 of Regulation P.
Avenue 1: The Road That Bent In the Undergrowth
Where the downstream credit union received information shared pursuant to the first avenue (i.e. notice and opt out), section 1016.11(b) contains the applicable limitations. Essentially, the downstream credit union can use the information for any reason the upstream organization could. However, this means the downstream credit union is subject to the restrictions contained in the upstream organization's sharing practices disclosed in its privacy notice and any opt out elected by the consumer. In guidance predating the Dodd-Frank Act, the Federal Reserve indicated that this means the downstream organizations wishing to use and share consumer information must have a mechanism in place which allows it to monitor and implement subsequent opt out elections received by the upstream organization. While this guidance is not binding on the CFPB, it is still informative in the absence of guidance from the bureau on this point. See, Q&A G.4.
Avenue 2: The Road That’s Grassy and Wanted Wear
Sharing done under the exception in section 1016.13 for service providers and joint marketing has its own built-in limitation on how third parties it shares with can use that information. The exception requires that a contractual agreement to be in place prohibiting the third party from disclosing or using the information for any reason other than to carry out the purpose of the disclosure.
Section 1016.11(a) contains limitations on how a downstream credit union can use and share information provided to it under the exceptions in sections 1016.14 and 1016.15. Essentially, section 1016.11(a)(1)(iii) allows the downstream credit union to disclose and use the information "in the ordinary course of business to carry out the activity covered by the exception" under which the information was provided to the credit union. For example, if information is shared with the credit union in order to process a financial product or service requested by the consumer under the exception in section 1016.14(a)(1), the credit union would not be able to further share or use that information, except to carry out the business activity of processing that product or service.
Entities Just As Fair and Having Perhaps the Better Claim
It is important to note that section 1016.11 contains additional provisions with regard to sharing with affiliates of entities already involved in the flow of information. Regardless of the avenue under which information was shared, a downstream credit union is permitted to disclose information to affiliates of the upstream organization. Downstream credit unions are also permitted to disclose information to its own affiliates, but the credit union's affiliates are bound by the same limitations on sharing and use of the information that apply to the credit union.
What Makes All the Difference
Regulation P's limitations on sharing and use by downstream credit unions requires a certain amount of knowledge about the privacy policies, opt out elections and methods of regulatory compliance of the upstream third party. This highlights the importance of considering a third party's compliance management regarding Regulation P, its privacy policies and contractual limitations regarding information sharing during the due diligence process. Credit unions can see NCUA Letter to Credit Unions 2007-13 for more information on third party due diligence.
CFPB Proposes to Prepaid Rule...But Also Releases Guide on Prepaid Form
Yesterday, the CFPB announced a proposal to delay effective date of the prepaid accounts rule by six months, or an effective date of April 1, 2018. In a related note, on March 7th, the CFPB issued a new guide to preparing the short form disclosure required under the new prepaids rule. The short form disclosure for prepaid accounts is required by revised section 1005.18(b)(2). NAFCU-member credit unions can find more information about the prepaids rule in this Compliance Monitor article.