[Federal Register Volume 65, Number 41 (Wednesday, March 1, 2000)]
[Proposed Rules]
[Pages 10988-11006]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-4814]


=======================================================================
-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 716 and 741


Privacy of Consumer Financial Information; Requirements for 
Insurance

AGENCY: National Credit Union Administration (NCUA).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The NCUA Board is proposing a new privacy rule applicable to 
all federally-insured credit unions, as required by the recently 
enacted Gramm-Leach-Bliley Act (the GLB Act or Act). The proposed rule 
requires credit unions to have a privacy policy and provide certain 
disclosures and notices to individuals about whom credit unions collect 
nonpublic personal information. It also restricts a credit union's 
ability to disclose nonpublic personal information, including giving 
individuals in some cases an opportunity to opt out of the disclosure. 
In drafting the proposed rule, the NCUA participated as part of an 
interagency group composed of representatives from the NCUA, the 
Federal Trade Commission, the Office of the Comptroller of the 
Currency, Board of Governors of the Federal Reserve System, Federal 
Deposit Insurance Corporation, Office of Thrift Supervision, Secretary 
of the Treasury, and Securities and Exchange Commission (collectively, 
the Agencies). The other Agencies are also required to issue 
regulations to implement the GLB Act. NCUA's proposed rule takes into 
account the unique circumstances of federally-insured credit unions and 
their members but is comparable and consistent with the regulations of 
the other Agencies as required by the GLB Act.

DATES: NCUA must receive comments by March 31, 2000.

ADDRESSES: Direct comments to: Becky Baker, Secretary of the Board. 
Mail or hand-deliver comments to: National Credit Union Administration, 
1775 Duke Street, Alexandria, Virginia 22314-3428, or you may fax 
comments to (703) 518-6319. Please send comments by one method only.

FOR FURTHER INFORMATION CONTACT: Mary F. Rupp or Regina M. Metz, Staff 
Attorneys, Division of Operations, Office of General Counsel, at the 
above address or telephone: (703) 518-6540.

SUPPLEMENTARY INFORMATION:

I. Background

    On November 12, 1999, President Clinton signed the GLB Act (Pub. L. 
106-102, codified at 15 U.S.C. 6801 et seq.) into law. Subtitle A of 
Title V of the GLB Act, captioned Disclosure of Nonpublic Personal 
Information, limits the instances when a financial institution may 
disclose nonpublic personal information of a consumer to nonaffiliated 
third parties. It requires a financial institution to disclose to all 
its customers the institution's privacy policies and practices with 
respect to information sharing with affiliates and nonaffiliated third 
parties.
    As required by the GLB Act, the NCUA has consulted with the other 
Agencies to ensure that its proposed rule is consistent and comparable 
with the proposed rules of the other Agencies. However, the NCUA's 
proposed rule takes into account the unique nature of credit union 
structure and operations, particularly, the relationship between a 
credit union and its members, credit union investment in credit union 
service organizations (CUSOs), and, generally, the significant 
difference between credit union and CUSO activities as compared with 
other financial institutions and their subsidiaries or affiliates.
    A credit union is a not-for-profit, cooperative financial 
institution, formed to permit those in the field of membership 
specified in the credit union's charter to save, borrow, and obtain 
related financial services. Member ownership and control make credit 
unions unique from other financial institutions. Federal credit union 
investment in affiliates is limited to CUSOs, which are organizations 
that primarily serve credit unions or their members and whose business 
is related to the daily and routine operations of credit unions. 12 
U.S.C. 1757(5)(D), 1757(7)(I). This is also generally true for state-
chartered credit unions.
    A key focus of the GLB Act is protecting the privacy of consumers 
and the customers of financial institutions while permitting financial 
institutions to make disclosures to their affiliates. In the credit 
union context, this means that the provisions of the Act and the 
requirements of NCUA's proposed regulation will apply primarily to a 
credit union's members and ordinarily permit sharing of information 
with CUSOs. Nevertheless, the Act and the proposed regulations impose 
requirements on credit unions with respect to nonmembers who are deemed 
to be consumers or customers receiving a financial product or service 
from the credit union. Thus, credit unions must understand when 
individuals qualify as a consumer or customer and what responsibilities 
the credit union has to them. While the GLB Act uses the term customer 
to describe a category of individuals to whom certain obligations are 
owed, the term customer should not be equated with the term member. 
Members in a credit union, as noted above, are its owners with a 
relationship to their credit union that is inherently different than 
that of customers to a financial institution. In addition, whether a 
CUSO will qualify as an affiliate to which a credit union may make 
disclosures will depend on the extent to which a credit union exercises 
control over the CUSO.
    NCUA's proposed rule mirrors the other Agencies' proposed rules 
except for modifications appropriate to address the different 
circumstances of credit unions such as references to credit unions, 
CUSOs, members, nonmember customers, and other nonmembers. NCUA has 
also incorporated much of the preamble discussion from the Agencies' 
joint notice of proposed rulemaking in this preamble. The section-by-
section analysis of the rule that follows points out those provisions 
that differ from the other Agencies' proposed rules. Besides 
differences in terms or definitions, a significant modification is in 
the use of examples in the rule. All the Agencies' proposed rules 
contain examples to aid understanding. NCUA has attempted to use 
examples pertinent to credit union circumstances and, therefore, has 
changed or deleted some examples used in the other Agencies' proposals.
    The NCUA requests comment on all aspects of the proposed rule as 
well as comment on the specific provisions and issues highlighted in 
the section-by-section summary below. The NCUA

[[Page 10989]]

specifically requests comment on the examples in the proposed rule and 
on any additional examples that would be helpful.
    NCUA and the other Agencies are developing examination standards 
and guidelines. A credit union's compliance with this rule will be 
reviewed as part of the regular examination process.
    NCUA and the other Agencies have coordinated their comment periods 
to end on March 31, 2000. Although, NCUA's Interpretive Ruling and 
Policy Statement 87-2 states that the public should be given at least 
60 days to comment on a proposed rule, this abbreviated comment period 
is necessary because of the statutory requirement that the final rule 
be issued by May 12, 2000.

II. Section-by-Section Analysis

Section 716.1  Purpose and Scope

    Proposed paragraph (a) of this section identifies three purposes of 
the rule. First, the rule requires a credit union to provide notice to 
consumers, defined in Sec. 716.3(e), about the credit union's privacy 
policies and practices. Second, the rule describes the conditions under 
which a credit union may disclose nonpublic personal information about 
a consumer to a nonaffiliated third party. Third, the rule provides a 
method for a consumer to ``opt out'' of the disclosure of that 
information to nonaffiliated third parties, subject to the exceptions 
in Secs. 716.9, 716.10, and 716.11, discussed below.
    Proposed paragraph (b) sets out the scope of the NCUA rule, stating 
that it applies to all federally-insured credit unions. Section 
505(a)(2) of the GLB Act provides that the NCUA Board has enforcement 
authority for federally-insured credit unions and any subsidiaries. The 
NCUA notes that, while CUSOs may be considered ``subsidiaries,'' the 
Federal Credit Union Act does not give the NCUA direct regulatory or 
supervisory authority over CUSOs. Therefore, CUSOs, depending on the 
type of businesses in which they engage, may be subject to the GLB Act 
and the regulations of the agency having jurisdiction over that 
business activity. For example, a CUSO engaged in securities brokerage 
activities would be subject to the Securities and Exchange Commission 
privacy regulation.
    The NCUA Board specifically requests comment on whether it would be 
appropriate to exempt federally-insured corporate credit unions from 
the regulation. The membership of corporate credit unions is natural 
person credit unions; they are operated primarily to serve other credit 
unions and limit natural person members to the minimum required by 
state or federal law to charter and operate the credit union. 12 CFR 
704.2. Corporate credit unions function as a ``credit union's credit 
union'' and provide a source of liquidity and investment for natural 
person credit unions as well as acting as clearing houses for financial 
transactions. The Board is particularly interested in comments that 
illustrate whether and to what extent corporate credit unions actually 
collect nonpublic personal information about consumers or customers 
within the meaning of the GLB Act and this regulation.
    This paragraph also notes that the rule applies only to information 
about individuals who obtain a financial product or service from a 
credit union for personal, family, or household purposes.

Section 716.2  Rule of Construction

    Proposed Sec. 716.2 of the rule sets out a rule of construction 
intended to clarify the effect of the examples used in the rule. Given 
the wide variety of transactions that Title V of the GLB Act covers, 
the NCUA proposes to adopt a rule of general applicability and then 
provide examples of conduct that would comply with the rule as well as 
examples of conduct that would not. While the NCUA's general rule is 
consistent with the other Agencies' proposals, NCUA's examples differ 
on occasion from those used by the other Agencies in order to provide 
guidance that is more applicable to credit unions.
    The examples are provided to fulfill NCUA's goal of understandable 
regulations. These examples are not intended to be exhaustive; rather, 
they are intended to provide guidance about how the rule would apply in 
specific situations.

Section 716.3  Definitions

    (a) Affiliate. The proposed rule adopts the definition of 
``affiliate'' used in section 509(6) of the GLB Act. An affiliation 
will be found when one company controls, is controlled by, or is under 
common control with another company. Control is defined in 
Sec. 716.3(g). The definition of affiliate applies to financial 
institutions and entities that are not financial institutions.
    NCUA's proposed rule includes examples of entities that will be 
affiliates for credit unions. For a federal credit union, the only 
entity that can be an affiliate is a CUSO, as addressed in 12 CFR part 
712, that is controlled by the federal credit union. For a state-
chartered credit union, an affiliate will be a company that the credit 
union controls.
    (b) Clear and conspicuous. Title V of the GLB Act and the proposed 
rule require that various notices be ``clear and conspicuous.'' The 
proposed rule defines this term to mean that the notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    The proposed rule does not mandate the use of any particular 
technique for making the notices clear and conspicuous, but instead 
allows each credit union the flexibility to decide for itself how best 
to comply with this requirement. Ways in which a notice may satisfy the 
clear and conspicuous standard would include, for instance, using a 
plain-language caption, in a type set easily seen, that is designed to 
call attention to the information contained in the notice. Other plain 
language principles are provided in the examples that follow the 
general rule.
    (c) Collect. The proposed rule defines ``collect'' to mean 
obtaining any information that is organized or retrievable on a 
personally identifiable basis, irrespective of the source of the 
underlying information. Several sections of the proposed rule, for 
example, Secs. 716.6 and 716.7, impose obligations when a credit union 
collects information about a consumer. This proposed definition 
clarifies that these obligations arise when the information enables the 
user to identify a particular consumer. It also clarifies that the 
obligations arise regardless of whether a credit union obtains the 
information from a consumer or some other source.
    (d) Company. The proposed rule defines ``company,'' which is used 
in the definition of ``affiliate,'' as any corporation, limited 
liability company, business trust, general or limited partnership, 
association, or similar organization.
    (e) Consumer. The proposed rule defines ``consumer'' to mean an 
individual who obtains, from a credit union, financial products or 
services that are to be used primarily for personal, family, or 
household purposes. An individual also will be deemed to be a consumer 
for purposes of a credit union if that credit union purchases the 
individual's account from some other institution. The definition also 
includes the legal representative of an individual.
    The GLB Act distinguishes ``consumers'' from ``customers'' for 
purposes of the notice requirements imposed by the Act. As explained 
more fully in the discussion of proposed Sec. 716.4 which covers 
initial notices, a

[[Page 10990]]

credit union must give a ``consumer'' an initial notice only if it 
intends to disclose nonpublic personal information about the consumer 
to a nonaffiliated third party for a purpose that is not authorized by 
one of several exceptions in the Act. By contrast, a credit union must 
give all ``customers,'' at the time of establishing a customer 
relationship and annually thereafter during the continuation of the 
customer relationship, a notice of the institution's privacy policy.
    A person is a ``consumer'' under the proposed rule if he or she 
obtains a financial product or service from a credit union. A credit 
union that intends to share nonpublic personal information about a 
consumer with nonaffiliated third parties outside of the exceptions 
described in Secs. 716.10 and 716.11 will have to give the requisite 
notices, even if the consumer does not enter into a customer 
relationship with the institution.
    The examples that follow the definition of ``consumer'' clarify 
when someone is a consumer. The examples for credit unions deviate from 
the examples for the other Agencies and use the terms member and 
nonmember where applicable. The other Agencies' examples include 
situations where someone: Applies for a loan or provides information 
for the purpose of determining whether he or she prequalifies for a 
loan; provides information in connection with seeking to obtain 
financial advisory services; and negotiates a workout of a loan. These 
examples do not apply to credit unions, because someone in the above 
situations will necessarily be a member of a credit union, and 
therefore, also a customer. The examples also clarify the status of 
someone whose loan has been sold.
    (f) Consumer reporting agency. The proposed rule adopts the 
definition of ``consumer reporting agency'' that is used in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)). This term 
is used in proposed Secs. 716.11 and 716.13 which deal with exceptions 
to notice and opt out and limitations on sharing.
    (g) Control. The proposed rule defines ``control'' using the tests 
applied in section 23A of the Federal Reserve Act (12 U.S.C. 371c). 
This definition is used to determine when companies are affiliated (see 
discussion of proposed Sec. 716.2(a), above), and would result in a 
financial institution and a company being considered as affiliates 
regardless of whether the control is by a company or individual.
    The proposed definition mirrors the definition of the other 
Agencies. NCUA is interested in receiving comment on whether this 
definition should be amended to reflect the particular relationship 
between a credit union and a CUSO. Historically, a federal credit union 
that invested in or made a loan to a CUSO was defined as an affiliated 
credit union of the CUSO. 51 FR 10353, 10360 (March 26, 1986); former 
12 CFR 701.27(c)(1). The Board is particularly interested in receiving 
comment on whether a CUSO that is 100% owned by credit unions should be 
considered an affiliate of all of the investing credit unions, 
regardless of whether any one credit union owns 25%.
    (h) Credit union. NCUA has defined credit union as a federally-
insured credit union.
    (i) Customer. The proposed rule defines ``customer'' as any 
consumer who has a customer relationship with a particular credit 
union. This definition parallels the one used for the term ``customer'' 
in the other Agencies'' proposed rules. A customer relationship, which 
is separately defined, basically means that there is an ongoing 
relationship between the credit union and a consumer. For credit 
unions, it is obvious that their members will fall under the meaning of 
customer but the term customer will also include certain nonmembers. A 
nonmember may also have a customer relationship with a credit union in 
certain circumstances.
    As explained more fully in the discussion of proposed Sec. 716.4, a 
consumer becomes a customer of a credit union at the time of entering 
into a continuing relationship with the credit union. Ordinarily, a 
consumer will enter into a continuing relationship with the credit 
union at the time the consumer becomes a member. In some cases, a 
nonmember may also enter into a continuing relationship with a credit 
union. This may occur, for example, when a nonmember acts as a 
guarantor on a loan for a member or is listed by a member as a joint 
account holder. Another example of nonmembers who would qualify as 
customers are individuals who establish a share account at a low-income 
designated credit union.
    The distinction between consumers and customers determines what 
notices a credit union must provide. If a consumer never becomes a 
customer, then, unless the credit union intends to disclose nonpublic 
personal information outside of the exceptions about that consumer to 
nonaffiliated third parties, the credit union is not required to 
provide any privacy notices. By contrast, if a consumer becomes a 
customer, the credit union must provide a copy of its privacy policy 
prior to the time it establishes the customer relationship and at least 
annually thereafter during the continuation of the customer 
relationship.
    (j) Customer relationship. The proposed rule defines ``customer 
relationship'' to mean a continuing relationship between a consumer and 
the credit union whereby the credit union provides a financial product 
or service to a consumer that is to be used primarily for personal, 
family, or household purposes. NCUA's definition parallels the other 
Agencies' definition of customer relationship, but highlights in the 
examples the circumstances as applicable to members and nonmembers.
    Because the GLB Act requires annual notices of the credit union's 
privacy policies to customers, NCUA and the Agencies have interpreted 
the Act as requiring more than isolated transactions between a 
financial institution and a consumer to establish a customer 
relationship, unless it is reasonable to expect further contact between 
the institution and consumer afterwards. Thus, the proposed rule 
defines ``customer relationship'' as one that is of a continuing 
nature.
    NCUA has changed the examples in this subsection to reflect that a 
member will necessarily have a continuing relationship with a credit 
union but that certain nonmembers may also have a continuing 
relationship and, therefore, be entitled to the same notices and 
disclosures that the credit union must provide to its members. These 
circumstances include where a nonmember has a joint account with a 
member, where a nonmember has an account with a low-income credit 
union, or where a credit union owns or services a nonmember's loan.
    The examples that follow the definition of ``customer 
relationship'' clarify, for instance, that using an automated teller 
machine at a credit union at which a consumer transacts no other 
business or purchasing of traveler's checks would not constitute a 
continuing relationship. While a person engaging in one of these types 
of transactions would be a consumer under the regulation (thereby 
requiring the credit union to provide notices if the credit union 
intends to disclose nonpublic personal information about the consumer 
to nonaffiliated third parties outside of the exceptions), the consumer 
would not be a customer. Even if a consumer repeatedly engages in 
transactions of this sort, such as withdrawing funds at regular 
intervals from an ATM owned by a credit union with whom the consumer 
has no

[[Page 10991]]

customer relationship, the consumer will not be considered a customer.
    The examples also clarify that a nonmember will have a customer 
relationship if a credit union has purchased the nonmember's loan or 
services a nonmember's loan.
    (k) Financial institution. The proposed rule defines ``financial 
institution'' as any institution the business of which is engaging 
activities that are financial in nature, or incidental to such 
financial activities, as described in section 4(k) of the Bank Holding 
Company Act of 1956 (12 U.S.C. 1843(k)). The proposed rule also exempts 
from the definition of ``financial institution'' those entities 
specifically excluded by the GLB Act.
    (l) Financial product or service. The proposed rule defines 
``financial product or service'' as a product or service that a 
financial institution could offer as an activity that is financial in 
nature, or incidental to such a financial activity, under section 4(k) 
of the Bank Holding Company Act of 1956, as amended. It includes the 
credit union's evaluation of information collected in connection with 
an application by a consumer for a financial product or service. It 
also includes the distribution of information about a consumer for the 
purpose of assisting the consumer to obtain a financial product or 
service. Thus the definition includes nonpublic personal information 
provided by a consumer in an application for a financial product or 
service that ultimately is rejected or withdrawn. An activity that is 
complementary to a financial activity, as described in section 4(k), is 
not included in the definition of ``financial product or service'' 
under this part.
    (m) Government regulator. The proposed rule adopts the definition 
of ``government regulator'' that includes each of the Agencies with 
enforcement authority under the statute, including State insurance 
authorities under the circumstances identified in the definition. This 
term is used in the exception set out in proposed Sec. 716.11(a)(4) for 
disclosures to law enforcement agencies, ``including government 
regulators.''
    (n) Nonaffiliated third party. The proposed rule defines 
``nonaffiliated third party'' as any person (which includes natural 
persons as well as corporate entities such as corporations, 
partnerships, trusts, and so on) except (1) an affiliate of a credit 
union, and (2) a joint employee of a credit union and a third party. 
This definition is intended to be substantively the same as the 
definition used in section 509(5) of the GLB Act.
    (o) Nonpublic personal information. Section 509(4) of the GLB Act 
defines ``nonpublic personal information'' to mean ``personally 
identifiable financial information'' (which term is not defined in the 
Act) that is: provided by a consumer to a financial institution; 
results from any transaction with the consumer or any service performed 
for the consumer; or is otherwise obtained by the financial 
institution. Any list, description, or other grouping of consumers--and 
``publicly available information'' (which also is undefined in the GLB 
Act) pertaining to them--that is derived using any nonpublic personal 
information other than publicly available information also is included 
in the definition of ``nonpublic personal information.''
    The proposed rule implements this provision of the GLB Act by 
restating, in paragraph (1) of proposed Sec. 716.2(o), the two 
categories of information described above. The example that follows the 
general definition clarifies that publicly available information and 
other identifying information about consumers, such as addresses and 
social security numbers, would be considered nonpublic personal 
information if the information is derived from information provided by 
a consumer or from customer accounts at, or other relationships with, a 
financial institution.
    The proposed rule excludes publicly available information from the 
scope of ``nonpublic personal information'' only in two circumstances. 
The first is when the information is part of a list, description, or 
other grouping of consumers that is derived without using personally 
identifiable financial information. The second is when information, not 
provided by a consumer and not resulting from a transaction with the 
consumer, is otherwise obtained by a credit union in connection with 
providing a financial product or service to the consumer. However, in 
order for the information to be considered ``publicly available'', the 
information must be obtained from government records, widely 
distributed media, or government-mandated disclosures. The fact that 
information is available from those sources is immaterial if the credit 
union does not actually obtain the information from one of them.
    Some of the other Agencies are considering an alternative 
definition of ``nonpublic personal information'' that would permit a 
financial institution to release publicly available information 
regardless of the source but would still prohibit the release of this 
information as part of a list, description or other grouping of 
consumers that is derived using personally identifiable financial 
information. This will produce a different result in the situation 
where a credit union wants to disclose the name, address, or other 
information available to the general public about an individual. In 
that situation, the proposed rule requires compliance with the notice 
and opt out requirements if the credit union received the information 
from the individual. The alternative definition would not, because the 
information would not be part of a list, description, or other grouping 
of consumers. NCUA invites comment on both alternatives.
    NCUA also specifically invites comment on whether the definition of 
``nonpublic personal information'' would cover information about a 
consumer that contains no indicators of a consumer's identity. For 
instance, if a credit union provided aggregate information about its 
mortgage loans (such as loan-to-value ratios, interest rates, census 
tracts of mortgaged property, payment history, credit scores, and 
income) to a nonaffiliated third party for the purpose of preparing 
market studies, would the lender, without notice or opt out to the 
consumer, be permitted to do so if the information contains no personal 
identifiers?
    (p) Personally identifiable financial information. The GLB Act 
defines ``nonpublic personal information'' to include ``personally 
identifiable financial information'' but does not define the latter 
term.
    As a general matter, the rule treats any personally identifiable 
information as financial if it is obtained by a credit union in 
connection with providing a financial product or service to a consumer. 
NCUA believes that this approach creates a workable and clear standard 
for distinguishing information that is financial from information that 
is not, while at the same time giving meaning to the word 
``financial.'' NCUA recognizes that this may result in certain 
information being covered by the rules that typically is not thought of 
as financial, such as health status. However, the broad scope of what 
is deemed a ``financial product or service'' under the GLB Act requires 
a comparably broad scope of what is deemed ``financial information.'' 
NCUA specifically invites comment on the proposed definition of 
``personally identifiable financial information.''
    The proposed rule defines ``personally identifiable financial 
information'' to include three categories of information. The first 
category is any information that a consumer provides a

[[Page 10992]]

credit union in order for the credit union to provide a financial 
product or service to that consumer. As noted in the examples that 
follow the definition, this would include information provided on an 
application to obtain a loan, credit card, or other financial product 
or service. If, for instance, medical information is provided on an 
application to obtain a financial product or service, that information 
would be considered ``personally identifiable financial information'' 
for purposes of the proposed rule.
    The second category of information covered by the proposed 
definition of ``personally identifiable financial information'' 
includes any information resulting from any transaction between the 
consumer and the credit union involving a financial product or service. 
This would include, as noted in the examples following the definition, 
account balance information, payment or overdraft history, and credit 
or debit card purchase information.
    The third category includes any financial information about a 
consumer otherwise obtained by the credit union in connection with 
providing a financial product or service. This would include, for 
example, information obtained from a consumer report or from an outside 
source to verify information a consumer provides on an application to 
obtain a financial product or service. It would not include, however, 
information that is publicly available.
    The examples note that the definition of ``personally identifiable 
information'' does not include a list of names and addresses of people 
who are customers of an entity that is not a financial institution. 
Thus, the names and addresses of people who subscribe, for instance, to 
a particular magazine fall outside the definition. If, however, a 
credit union incorporates those names and addresses into a listing of 
one or more of the credit union's members or nonmember customers, then 
the entire list becomes nonpublic personal information.
    NCUA notes that there are other laws that may impose limitations on 
disclosures of nonpublic personal information in addition to those 
imposed by the GLB Act and this proposed rule. For instance, the Fair 
Credit Reporting Act imposes conditions on the sharing of application 
information between affiliates and nonaffiliated third parties. The 
recently proposed Department of Health and Human Services regulations 
that implement the Health Insurance Portability and Accountability Act 
of 1996 would, if adopted in final form, limit the circumstances under 
which medical information may be disclosed. 64 FR 59918 (Nov. 3, 1999). 
State laws may also affect a credit union's ability to disclose 
information. Thus, credit unions will need to monitor and comply with 
relevant legislative and regulatory developments that affect the 
disclosure of consumer information.
    (q) Publicly available information. The proposed rule defines 
``publicly available information'' as information lawfully made 
available to members of the general public that is obtained from three 
broad types of source. First, it includes information from official 
public records, such as real estate recordations or security interest 
filings. Second, it includes information from widely distributed media, 
such as a telephone book, television or radio program, or newspaper. 
Third, it includes information from disclosures required to be made to 
the general public by federal, state, or local law, such as securities 
disclosure documents. The proposed rule states that information 
obtained over the Internet will be considered publicly available 
information if the information is obtainable from a site available to 
the general public without requiring a password or similar restriction. 
NCUA invites comment on what information is appropriately considered 
publicly available, particularly in the context of information 
available over the Internet.
    (r) You. This term refers to all federally-insured credit unions.

Section 716.4  Initial Notice to Consumers of Privacy Policies and 
Practices Required

    The GLB Act requires a financial institution to provide an initial 
notice of its privacy policies and practices in two circumstances. For 
customers, the notice must be provided at the time of establishing a 
customer relationship. For credit unions, ordinarily this will be at 
the time an individual applies for membership. For consumers who do not 
become customers, the notice must be provided prior to disclosing 
nonpublic personal information about the consumer to a nonaffiliated 
third party. In addition, as discussed more fully in Sec. 716.8, a 
revised notice must be provided to consumers prior to disclosing 
nonpublic personal information if a credit union's policies have 
changed.
    Proposed Sec. 716.4(a) states the general rule regarding these 
notices. It requires a credit union to provide a clear and conspicuous 
notice that accurately reflects the credit union's privacy policies and 
practices. A notice is clear and conspicuous if it is reasonably 
understandable and designed to call attention to the nature and 
significance of the information it provides. A credit union may not 
represent in the notice that it will provide certain protections and 
then fail to provide them; that would mean the notice is not accurate. 
NCUA expects that credit unions will take appropriate measures to 
ensure adherence to their stated privacy policies.
    Affiliated institutions may use a common initial, annual, or opt 
out notice, so long as the notice is delivered in accordance with the 
rule and is accurate for all recipients. Similarly, the rule permits a 
credit union to establish different privacy policies and practices for 
different customers, so long as they receive notices that are accurate 
with respect to them. Credit unions could, for example, have different 
notices for members and for nonmember customers.
    The proposed rule requires a credit union to provide an individual 
a privacy notice prior to the time that it establishes a customer 
relationship. Ordinarily, this will be at the time an individual 
applies for membership. For a nonmember, a credit union could provide 
the notice at the same time it provides other required notices, such as 
those required by the Truth-in-Lending Act. This approach is intended 
to strike a balance between (a) ensuring that consumers will receive 
privacy notices at a meaningful point along the continuum of 
``establishing a customer relationship'' and (b) minimizing unnecessary 
burdens on credit unions that may result if a credit union is required 
to provide a consumer with a series of notices at different points in a 
transaction. Nothing in the proposed rule is intended to discourage a 
credit union from providing a privacy notice at an earlier point in the 
relationship to make it easier for an individual to compare several 
institutions' privacy policies and practices in advance of conducting 
transactions.
    Proposed Sec. 716.4(c) identifies the time the customer 
relationship is established as the point at which a credit union and a 
consumer enter into a continuing relationship. The examples NCUA 
provides differ from other Agencies to account for the member or 
nonmember relationship and the financial products or services that 
credit unions offer. The examples after the statement of the general 
rule inform the reader that, for a member, the relationship is 
established when the individual becomes a member. For nonmembers in 
relationships that are contractual in nature, such as share accounts, 
loans, or purchases of a nondeposit product, a customer relationship is 
established

[[Page 10993]]

when the individual executes the contract necessary to conduct the 
transaction in question. In the case of a credit card, the nonmember 
customer relationship is established when the necessary step to open 
the credit card account is taken under a credit union's procedures.
    For consumers that are not customers, the initial notice may be 
provided at any point before the credit union discloses nonpublic 
personal information to nonaffiliated third parties. An initial notice 
is not required if the credit union does not intend to disclose the 
information or intends to make only disclosures authorized by one of 
the exceptions in Secs. 716.10 and 716.11.
    NCUA recognizes that in some circumstances a nonmember customer 
does not have a choice as to the credit union with which he or she has 
a nonmember customer relationship, such as when a credit union 
purchases the nonmember customer's loan in the secondary market. In 
these situations, it may not be practicable for the credit union to 
provide a notice prior to establishing the nonmember customer 
relationship. NCUA invites comment on whether an exception is necessary 
for such circumstances and how an exception should be formulated.
    Proposed Sec. 716.4(d) sets out the rules governing how credit 
unions must provide the initial notices. The general rule requires 
initial notice be provided so that each recipient can reasonably be 
expected to receive actual notice. NCUA invites comment on who should 
receive a notice in situations where there is more than one party to an 
account.
    The notice may be delivered in writing or, if the consumer agrees, 
electronically. Oral notices alone are insufficient. In the case of 
members or nonmember customers, the notice must be given in a way so 
that the member or nonmember customer may either retain it or access it 
at a later time. This would permit a credit union to provide access to 
an electronic version of the notice if the consumer agrees. This 
requirement that the notice be given in a manner permitting access at a 
later time does not preclude a credit union from changing its privacy 
policy. See proposed 12 CFR 716.8(c). Rather, the rules are intended 
only to require that a member or nonmember customer be able to access 
the most recently adopted privacy policy. NCUA requests comment on the 
regulatory burden of providing initial notices. Specifically, NCUA 
would appreciate learning the methods credit unions expect to use to 
provide initial notices.
    Examples of acceptable ways the notice may be delivered include 
hand-delivering a copy of the notice, mailing a copy to the consumer's 
last known address, or sending it via electronic mail to a consumer who 
obtains a financial product or service from the credit union 
electronically. It would not be sufficient to provide only a posted 
copy of the notice in a lobby. Similarly, it would not be sufficient to 
provide the initial notice only on a Web page, unless the consumer is 
required to access that page to obtain the product or service in 
question. Electronic delivery generally should be in the form of 
electronic mail so as to ensure that a consumer actually receives the 
notice. In those circumstances where a consumer is in the process of 
conducting a transaction over the Internet, electronic delivery also 
may include posting the notice on a Web page as described above. If a 
credit union and consumer orally agree to enter into a contract for a 
financial product or service over the telephone, the credit union may 
provide the consumer with the option of receiving the initial notice 
after providing the product or service so as not to delay the 
transaction.
    NCUA requests comment on whether there are situations where 
providing notice by mail is impracticable.

Section 716.5  Annual Notice to Customers Required

    Section 503 of the GLB Act requires a financial institution to 
provide notices of its privacy policies and practices at least annually 
to its customers. The proposed rule implements this requirement by 
requiring a clear and conspicuous notice that accurately reflects the 
privacy policies and practices then in effect to be provided at least 
once during any period of twelve consecutive months. The rule governing 
how to provide an initial notice also applies to annual notices.
    Section 503(a) of the GLB Act requires that the annual notices be 
provided ``during the continuation'' of a customer relationship. To 
implement this requirement, the proposed rules states that a credit 
union is not required to provide annual notices to a customer with whom 
it no longer has a continuing relationship. The examples that follow 
this general rule provide guidance on when there no longer is a 
continuing relationship for purposes of the rules. NCUA has changed 
these examples to reflect the concept of member and nonmember customer 
relationships. The examples include, for instance, when the member 
terminates the member relationship. For nonmembers, the examples 
include share accounts that are treated as dormant by a credit union, 
loans that are paid in full or charged off, or assets sold without 
retaining servicing rights. NCUA invites comment on whether the example 
of dormant accounts provides a sufficiently clear standard and whether 
the applicable standard should be the credit union's policies or 
applicable state law. In addition, NCUA invites comment on whether the 
standard should apply to members as well as nonmembers.
    There may be certain nonmember customer relationships that do not 
present a clear event after which there is no longer a nonmember 
customer relationship. The proposed rule contains an example intended 
to cover these situations, stating that a relationship will no longer 
be deemed continuing for purposes of the proposed rule if the credit 
union has not communicated with a nonmember customer, other than 
providing an annual privacy policy notice, for a period of twelve 
consecutive months.
    NCUA requests comment on the regulatory burden of providing annual 
notices. Specifically, NCUA would appreciate learning the methods 
credit unions expect to use to provide annual notices and whether 
credit unions will use different methods for providing initial notices 
than for providing annual notices.

Section 716.6  Information To Be Included in Initial and Annual Notices 
of Privacy Policies and Practices

    Section 503 of the GLB Act identifies the items of information that 
must be included in a financial institution's initial and annual 
notices. Section 503(a) of the GLB Act sets out the general requirement 
that a financial institution must provide customers with a notice 
describing the institution's policies and practices with respect to, 
among other things, disclosing nonpublic personal information to 
affiliates and nonaffiliated third parties. Section 503(b) of the Act 
identifies certain elements that must be addressed in that notice.
    The required content is the same for both the initial and annual 
notices of privacy policies and practices. While the information 
contained in the notices must be accurate as of the time the notices 
are provided, a credit union may prepare its notices based on current 
and anticipated policies and practices.
    The information to be included is as follows:
    (1) Categories of nonpublic personal information that a credit 
union may collect.
    A credit union must inform its customers about the categories of 
nonpublic personal information it

[[Page 10994]]

collects. The proposed rule provides an example of how to comply with 
this requirement that focuses the notice on the source of the 
information collected. As noted in the example, a credit union will 
satisfy this requirement if it categorizes the information according to 
the sources, such as application information, transaction information, 
and consumer report information. Credit unions may choose to provide 
more detail about the categories of information collected but are not 
required to do so by the proposed rule.
    (2) Categories of nonpublic personal information that a credit 
union may disclose.
    A credit union's initial and annual notice must provide information 
about the categories of nonpublic personal information that may be 
disclosed either to affiliates or nonaffiliated third parties. This 
requirement is in proposed Sec. 716.6(a)(2). The examples of how to 
comply focus on the content of information to be disclosed. As stated 
in the examples, a credit union may satisfy this requirement by 
categorizing information according to source and providing illustrative 
examples of the content of the information. These categories might 
include application information (such as assets and income), 
identifying information (such as name, address, and social security 
number), transaction information (such as information about account 
activity, account balances, and purchases), and information from 
consumer reports (such as credit history).
    Credit unions are free to provide more detailed information in the 
initial and annual notices if they choose. Conversely, if a credit 
union does not disclose, and does not intend to disclose, nonpublic 
personal information to affiliates or nonaffiliated third parties, its 
initial and annual notices may simply state this fact without further 
elaboration about categories of information disclosed.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom a credit union discloses nonpublic personal information.
    Section 503(a) of the Act includes a general requirement that a 
financial institution provide a notice to its customers of the 
institution's policies and practices with respect to disclosing 
nonpublic personal information to affiliates and nonaffiliated third 
parties. Section 503(b) states that the notice required by section 
503(a) shall include certain specified items. Among those is the 
requirement, in section 503(b)(1), that a financial institution inform 
its customers about its policies and practices with respect to 
disclosing nonpublic personal information to nonaffiliated third 
parties. NCUA and the other Agencies believe that, when read together, 
sections 503(a) and 503(b) of the GLB Act require a financial 
institution's notice to address disclosures of nonpublic personal 
information to both affiliates and nonaffiliated third parties.
    The proposed rule states that a credit union will adequately 
categorize the affiliates and nonaffiliated third parties to whom it 
discloses nonpublic personal information about consumers if it 
identifies the types of businesses that they engage in. Types of 
businesses may be described by general terms, such as financial 
products or services, if the credit union provides illustrative 
examples of the significant lines of businesses of the recipient, such 
as mortgage lending, insurance brokerage, or securities brokerage.
    The GLB Act does not require a financial institution to list the 
categories of persons to whom information may be disclosed under one of 
the exceptions set out in proposed Secs. 716.10 and 716.11. The 
proposed rule states that a credit union is required only to inform 
consumers that it makes disclosures as permitted by law to 
nonaffiliated third parties in addition to those described in the 
notice. NCUA invites comment on whether such a disclosure would be 
adequate.
    If a credit union does not disclose, and does not intend to 
disclose, nonpublic personal information to affiliates or nonaffiliated 
third parties, its initial and annual notices may simply state this 
fact without further elaboration about categories of third parties.
    (4) Information about former members and nonmember customers. 
Section 503(a)(2) requires the financial institution's initial and 
annual privacy notices to include the institution's policies and 
practices with respect to disclosing nonpublic personal information of 
persons who have ceased to be customers of the institution. Section 
503(b)(1)(B) requires that this information be provided with respect to 
information disclosed to nonaffiliated third parties.
    NCUA and the other Agencies have concluded that, when read 
together, sections 503(a)(2) and 503(b)(1)(B) require a financial 
institution to include in the initial and annual notices the 
institution's policies and practices with respect to sharing 
information about former customers with all affiliates and 
nonaffiliated third parties. This requirement is set out in the 
proposed rules at Sec. 716.6(a)(4).
    (5) Information disclosed to service providers. Section 502(b)(2) 
of the GLB Act permits a financial institution to disclose nonpublic 
personal information about a consumer to a nonaffiliated third party 
for the purpose of the third party performing services for the 
institution, including marketing financial products or services under a 
joint agreement between the financial institution and at least one 
other financial institution. In this case, a consumer has no right to 
opt out. However, the financial institution must inform the consumer 
that it will be disclosing the information in question, unless the 
service falls within one of the exceptions listed in section 502(e) of 
the Act.
    The proposed rule implements these provisions, in proposed 
Sec. 716.6(a)(5), by requiring that, if a credit union discloses 
nonpublic personal information to a nonaffiliated third party under the 
exception for service providers, the credit union is to include in the 
initial and annual notices a separate description of the categories of 
information that are disclosed and the categories of third parties 
providing the services. A credit union may comply with these 
requirements by providing the same level of detail in the notice as is 
required to satisfy the requirements in proposed Secs. 716.6(a)(2) and 
(3).
    (6) Right to opt out. As previously noted, sections 503(a)(1) and 
503(b)(1) of the GLB Act require a financial institution to provide 
customers with a notice of its privacy policies and practices 
concerning, among other things, disclosing nonpublic personal 
information consistent with section 502 of the Act.
    The proposed rule implements this requirement, in proposed 
Sec. 716.6(a)(6), by requiring the initial and annual notices to 
explain the right to opt out of disclosures of nonpublic personal 
information to nonaffiliated third parties, including the methods 
available to exercise that right.
    (7) Disclosures made under the FCRA. Section 503(b)(4) of the GLB 
Act requires a financial institution's initial and annual notice to 
include the disclosures required, if any, under section 
603(d)(2)(A)(iii) of the FCRA. Section 603(d)(2)(A)(iii) excludes from 
the definition of ``consumer report'' the communication of certain 
consumer information among affiliated entities if the consumer is 
notified about the disclosure of such information and given an 
opportunity to opt out of that information sharing. The information 
that can be shared among affiliates under this provision includes 
information from consumer reports and

[[Page 10995]]

applications for financial products or services. In general, this 
information represents personal information provided directly by the 
consumer to the institution, such as income and social security number, 
in addition to information contained within credit bureau reports.
    The proposed rule implements section 503(b)(4) of the GLB Act by 
including the requirement that a credit union's initial and annual 
notice include any disclosures a credit union makes under section 
603(d)(2)(A)(iii) of the FCRA.
    (8) Confidentiality, security, and integrity. Section 503(a)(3) of 
the GLB Act requires the initial and annual notices to provide 
information about a financial institution's policies and practices with 
respect to protecting the nonpublic personal information of consumers. 
Section 503(b)(3) of the Act requires the notices to include the 
policies that the institution maintains to protect the confidentiality 
and security of nonpublic personal information, in accordance with 
section 501. Section 501 requires the Agencies to establish standards 
governing the administrative, technical, and physical safeguards of 
customer information.
    The proposed rule implements these provisions by requiring a credit 
union to include in the initial and annual notices the credit union's 
policies and practices for protecting the confidentiality, security, 
and integrity of nonpublic personal information. The example in the 
proposed rules states that a credit union may comply with the 
requirement as it concerns confidentiality and security if it explains 
matters such as who has access to the information and the circumstances 
under which the information may be accessed. The information about 
integrity should focus on the measures the credit union takes to 
protect against reasonably anticipated threats or hazards. The proposed 
rule does not require a credit union to provide technical or 
proprietary information about how it safeguards consumer information.
    The Agencies are in the process of preparing the section 501 
standards relating to administrative, technical, and physical 
safeguards, and intend to have those standards in place at the time the 
final privacy rules are issued. This will enable credit unions to 
reflect those standards in the initial and annual notices.

Section 716.7  Limitation on Disclosure of Nonpublic Personal 
Information About Consumers to Nonaffiliated Third Parties

    Section 502(a) of the GLB Act generally prohibits a financial 
institution from sharing nonpublic personal information about a 
consumer with a nonaffiliated third party unless the institution 
provides the consumer with a copy of the institution's privacy policy. 
Section 502(b) of the Act adds the requirements that the financial 
institution provide the consumer with a clear and conspicuous notice 
that the consumer's nonpublic personal information may be disclosed to 
nonaffiliated third parties, that the consumer be given an opportunity 
to opt out of that disclosure, and that the consumer be informed of how 
to opt out.
    Section 716.7 of the proposed rule implements these provisions. 
Paragraph (a)(1) of Sec. 716.7 sets out the criteria that a credit 
union must satisfy before disclosing nonpublic personal information to 
nonaffiliated third parties. These criteria apply to direct and 
indirect disclosures through an affiliate. NCUA invites comment on how 
the right to opt out should apply in the case of joint accounts. 
Should, for instance, a credit union require all parties to an account 
to opt out before the opt out becomes effective? If not, and only one 
of the parties opts out, should the opt out apply only to information 
about the party opting out or should it apply to information about all 
parties to the account? NCUA also requests comment on how the opt out 
rights should be handled with respect to commingled trust accounts, 
where a trustee manages a single account on behalf of multiple 
beneficiaries.
    Paragraph (a)(2) defines ``opt out'' in a way that incorporates the 
exceptions to the right to opt out stated in proposed Secs. 716.9, 
716.10, and 716.11. These exceptions permit disclosures of nonpublic 
personal information to nonaffiliated third parties without first 
providing the initial privacy notice and giving the consumer the right 
to opt out.
    The proposed rule requires that a consumer be given an opportunity 
to opt out before information is disclosed by requiring that the 
opportunity be reasonable. The examples that follow the general rule 
provide guidance in situations involving notices that are mailed and 
notices that are provided in connection with isolated transactions. In 
the former case, a consumer will have a reasonable opportunity to opt 
out if the credit union provides 30 days in which to opt out. In the 
latter case, opportunity will be reasonable if the consumer must decide 
as part of the transaction whether to opt out before completing the 
transaction. NCUA invites comment on whether 30 days is a reasonable 
opportunity to opt out in the case of notices sent by mail, and on 
whether an example in the context of transactions conducted using an 
electronic medium would be helpful.
    The requirement that a consumer have a reasonable opportunity to 
opt out does not mean that a consumer forfeits that right once the 
opportunity lapses. The consumer always has the right to opt out (this 
point is discussed further in proposed Sec. 716.8, below). But, a 
decision to opt out at a time after the opportunity first is presented 
may result in nonpublic personal information being disclosed to 
nonaffiliated third parties for the period of time necessary to 
implement the consumer's opt out direction.
    Paragraph (b) of proposed Sec. 716.7 clarifies that the right to 
opt out applies regardless of whether a consumer has established a 
member or nonmember customer relationship with a credit union. As noted 
above, all members or nonmember customers are consumers under the 
proposed rules. Thus, the fact that a consumer establishes a member or 
nonmember customer relationship with a credit union does not change the 
credit union's obligations to comply with the requirements of proposed 
Sec. 716.7(a) before sharing nonpublic personal information about that 
consumer with nonaffiliated third parties. This also applies in the 
context of a consumer who had a member or nonmember customer 
relationship with a credit union but then terminated that relationship. 
Paragraph (b) also clarifies that the consumer protections afforded by 
paragraph (a) of proposed Sec. 716.7 apply to all nonpublic personal 
information collected by a credit union, regardless of when collected. 
Thus, if a consumer elects to opt out of information sharing with 
nonaffiliated third parties, that election applies to all nonpublic 
personal information about that consumer in the credit union's 
possession, regardless of when the information is obtained.
    Paragraph (c) of proposed Sec. 716.7 states that a credit union 
may, but is not required to, provide consumers with the option of a 
partial opt out in addition to the opt out required by this section. 
This could enable a consumer to limit, for instance, the types of 
information disclosed to nonaffiliated third parties or the types of 
recipients of the nonpublic personal information about that consumer. 
If the partial opt out option is provided, a credit union must

[[Page 10996]]

state this option in a way that clearly informs the consumer about the 
choices available and consequences thereof.

Section 716.8  Form and Method of Providing Opt Out Notice to Consumers

    Paragraph (a) of proposed Sec. 716.8 requires that any opt out 
notice provided by a credit union under Sec. 716.7 must be clear and 
conspicuous and accurately explain the right to opt out. The notice 
must inform the consumer that the credit union may disclose nonpublic 
personal information to nonaffiliated third parties, state that the 
consumer has a right to opt out, and provide the consumer with a 
reasonable means by which to opt out.
    The examples that follow the general rule state that a credit union 
will adequately provide notice of the right to opt out if it: 
identifies the categories of information that may be disclosed; the 
categories of nonaffiliated third parties to whom the information may 
be disclosed; and that the consumer may opt out of those disclosures. A 
credit union that plans to disclose only limited types of information 
or to only a specific type of nonaffiliated third party may provide a 
correspondingly narrow notice to consumers. However, to minimize the 
number of opt out notices a credit union must provide, the credit union 
may wish to base its notices on current and anticipated information 
sharing plans. A new opt out notice is not required for disclosures to 
different types of nonaffiliated third parties or of different types of 
information, provided that the most recent opt out notice is 
sufficiently broad to cover the entities or information in question. 
Nor is a credit union required to provide subsequent opt out notices 
when a consumer establishes a new type of relationship with that credit 
union, such as becoming a member or nonmember customer, unless the 
credit union's opt out policies differ depending on the type of member 
or nonmember customer relationship.
    The examples also suggest several ways in which a credit union may 
provide reasonable means to opt out, including check-off boxes, self-
addressed stamped reply forms, and electronic mail addresses. A credit 
union does not provide a reasonable means of opting out in the opt out 
notice by requiring consumers to send their own letter informing the 
credit union of an opt out election. A credit union may honor letters, 
particularly with respect to delayed opt outs as described in paragraph 
(d).
    Paragraph (b) applies the same rules to delivery of the opt out 
notice that apply to delivery of the initial and annual notices. In 
addition, paragraph (b) clarifies that the opt out notice may be 
provided together with, or on the same form as, the initial and annual 
notices. However, if the opt out notice is provided after the initial 
notice, a credit union must provide a copy of the initial notice along 
with the opt out notice. If a credit union and consumer orally agree to 
enter into a customer relationship, the credit union may provide the 
opt out notice within a reasonable time thereafter if the consumer 
agrees. NCUA invites comment on whether a more specific time by which 
the notice must be given would be appropriate.
    Paragraph (c) sets out the rules governing a credit union's 
obligations in the event the credit union changes its disclosure 
policies. As stated in that paragraph, a credit union may not disclose 
nonpublic personal information to a nonaffiliated third party unless 
the credit union first provides a revised notice and new opportunity to 
opt out. The credit union must wait a period of time that is reasonable 
under the circumstances before disclosing information according to the 
terms of the revised notice in order to afford the consumer a 
reasonable opportunity to opt out. A credit union must provide the 
revised notice of its policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 716.4(c) or Sec. 716.8(b), 
respectively, which require that the notices be given in a manner so 
that each consumer can reasonably be expected to receive actual notice 
in writing or, if the consumer agrees, in electronic form.
    Paragraph (d) states that a consumer has the right to opt out at 
any time. NCUA considered whether to include a time limit by which 
credit unions must effectuate a consumer's opt out election, but 
decided that the wide variety of practices of credit unions made one 
limit inappropriate. Instead, NCUA's rule requires that the sharing of 
nonpublic personal information stop promptly.
    Paragraph (e) states that an opt out will continue until a consumer 
revokes it. The rules require that such revocation be in writing, or, 
if the consumer has agreed, electronically.
    NCUA requests comment on the regulatory burden of complying with 
opt out notices. How do credit unions expect to give opt out 
opportunities? How many opt outs do credit unions expect to receive and 
need to process?

Section 716.9  Exception to Opt Out Requirements for Service Providers 
and Joint Marketing

    Section 502(b) of the GLB Act creates an exception to the opt out 
rules for the disclosure of information to service providers and for 
marketing. A consumer will not have the right to opt out of disclosing 
nonpublic personal information about the consumer to nonaffiliated 
third parties under these circumstances, if the credit union satisfies 
certain requirements.
    First, the credit union must, as stated in section 502(b), ``fully 
disclose'' to the consumer that it will provide this information to the 
nonaffiliated third party before the information is shared. This 
disclosure should be provided as part of the initial notice that is 
required by Sec. 716.4. NCUA invites comment on whether the proposed 
rules appropriately implement the requirement of ``full'' disclosure in 
section 502(b).
    Second, the credit union must enter into a contract with the third 
party that requires the third party to maintain the confidentiality of 
the information. This contract should be designed to ensure that the 
third party (a) will maintain the confidentiality of the information at 
least to the same extent as is required for the credit union that 
discloses it, and (b) will use the information solely for the purposes 
for which the information is disclosed or as otherwise permitted by 
Secs. 716.10 and 716.11 of the proposed rules. NCUA invites comment on 
the application of proposed Sec. 716.9(a)(2)(ii) in the context of 
credit unions that contract with credit scoring vendors to evaluate 
borrower creditworthiness. Specifically, would that section prohibit 
the vendor from using the consumer's information without the indicators 
of personal identity to re-validate the underlying model? Would using 
the information in this manner be beyond the lender's immediate purpose 
of determining the consumer's propensity to perform acceptably?
    The GLB Act allows the Agencies to impose requirements on the 
disclosure of information pursuant to the exception for service 
providers beyond those imposed in the statute. NCUA, like the other 
Agencies, has not done so in the proposed rules, but NCUA invites 
comment on whether additional requirements should be imposed, and, if 
so, what those requirements should address. NCUA notes, for instance, 
that joint agreements have the potential to create reputation risk and 
legal risk for a credit union entering into such an agreement. NCUA 
seeks comment on whether the rule should require a credit

[[Page 10997]]

union to take steps to assure itself that the product being jointly 
marketed and the other participants in the joint marketing agreement do 
not present undue risks for the credit union. These might include, for 
instance, ensuring that the credit union's sponsorship of the product 
or service in question is evident from the marketing of that product or 
service. NCUA also invites comments on any other requirements that 
would be appropriate to protect a consumer's financial privacy, and on 
whether the rules should provide examples of the types of joint 
agreements that are covered.

Section 716.10  Exceptions to Notice and Opt Out Requirements for 
Processing and Servicing Transactions

    Section 502(e) of the GLB Act creates exceptions to the 
requirements that apply to the disclosure of nonpublic personal 
information to nonaffiliated third parties. Paragraph (1) of that 
section sets out certain exceptions for disclosures made, generally 
speaking, in connection with the administration, processing, servicing, 
and sale of a consumer's account.
    Paragraph (a) of proposed Sec. 716.10 sets out those exceptions, 
making only stylistic changes to the statutory text that are intended 
to make the exceptions easier to read. Paragraph (b) sets out the 
definition of ``necessary to effect, administer, or enforce'' that is 
contained in section 509(7) of the GLB Act.
    The exceptions set out in proposed Sec. 716.10, and the exceptions 
discussed in proposed Sec. 716.11, below, do not affect a credit 
union's obligation to provide initial notices of its privacy policies 
and practices prior to the time it establishes a member or nonmember 
customer relationship and annual notices thereafter. Those notices must 
be provided to all members and nonmember customers, even if the credit 
union intends to disclose the nonpublic personal information only 
pursuant to the exceptions in Sec. 10.

Section 716.11  Other Exceptions to Notice and Opt Out Requirements

    As noted above, section 502(e) contains several exceptions to the 
requirements that otherwise would apply to the disclosures of nonpublic 
personal information to nonaffiliated third parties. Proposed 
Sec. 716.11 sets out those exceptions that are not made in connection 
with the administration, processing, servicing, and sale of a 
consumer's account.
    One of the exceptions stated in proposed Sec. 716.11 is for 
disclosures made with the consent or at the direction of the consumer, 
provided the consumer has not revoked the consent. Following the list 
of exceptions is an example of consent in which a credit union that has 
received an application from a consumer for a mortgage loan informs a 
nonaffiliated insurance company that the consumer has applied for a 
loan and may need to purchase homeowner's insurance. Consent in such a 
situation would enable the credit union to make the disclosure to the 
third party without first providing the initial notice required by 
Sec. 716.4 or the opt out notice required by Sec. 716.7, but the 
disclosure must not exceed the purposes for which consent was given. 
The example also states that consent may be revoked by a consumer at 
any time by the consumer exercising the right to opt out of future 
disclosures. NCUA invites comment on whether safeguards should be added 
to the exception for consent in order to minimize the potential for 
consumer confusion. Such safeguards might include, for instance, that 
consent be written or that it be indicated on a separate signature line 
in a relevant document or on a distinct Web page.

Section 716.12  Limits on Redisclosure and Reuse of Information

    Section 716.12 of the proposed rule implements the GLB Act's 
limitations on redisclosure and reuse of nonpublic personal information 
about consumers. Section 502(c) provides that a nonaffiliated third 
party that receives nonpublic personal information from a financial 
institution shall not, directly or through an affiliate of the third 
party, disclose the information to any person that is not affiliated 
with either the financial institution or the third party, unless the 
disclosure would be lawful if made directly by the financial 
institution. Paragraph (a)(1) sets out the GLB Acts redisclosure 
limitation as it applies to a credit union that receives information 
from another financial institution. Paragraph (b)(1) mirrors the 
provisions of paragraph (a)(1), but applies the redisclosure limits to 
any nonaffiliated third party that receives nonpublic personal 
information from a credit union.
    The GLB Act appears to place the institution that receives the 
information into the shoes of the institution that disclosed the 
information for purposes of determining whether redisclosures by the 
receiving institution are ``lawful.'' Thus, the GLB Act appears to 
permit the receiving institution to redisclose the information to (1) 
an entity to whom the original transferring institution could disclose 
the information pursuant to one of the exceptions in Secs. 716.9, 
716.10, or 716.11, or (2) an entity to whom the original transferring 
institution could have disclosed the information as described under its 
privacy policies and practices, unless the consumer has exercised the 
right to opt out of that disclosure. Because a consumer can exercise 
the right to opt out of a disclosure at any time, the GLB Act may 
effectively preclude third parties that receive information to which 
the opt out right applies from redisclosing the information, except 
pursuant to one of the exceptions in Secs. 716.9, 716.10, or 716.11. 
NCUA invites comment on whether the rule should require a credit union 
that discloses nonpublic personal information to a nonaffiliated third 
party to develop policies and procedures to ensure that the third party 
complies with the limits on redisclosure of that information.
    Sections 502(b)(2) and 502(e)(as implemented by Secs. 716.9, 
716.10, and 716.11 of the proposed rule) describe when a financial 
institution may disclose nonpublic personal information without 
providing the consumer with the initial privacy notice and an 
opportunity to opt out, but those exceptions apply only when the 
information is used for the specific purposes set out in those 
sections. Paragraph (a)(2) of proposed Sec. 716.12 clarifies this 
limitation on reuse as it applies to credit unions. Paragraph (a)(2) 
provides that a credit union may use nonpublic personal information 
about a consumer that it receives from a nonaffiliated financial 
institution in accordance with an exception under Secs. 716.9, 716.10, 
or 716.11, only for the purpose of that exception. Paragraph (b)(2) 
applies the same limits on reuse to any nonaffiliated third party that 
receives nonpublic personal information from a credit union.
    NCUA invites comment on the meaning of the word ``lawful'' as that 
term is used in section 502(c). NCUA specifically solicits comment on 
whether it would be lawful for a nonaffiliated third party to disclose 
information pursuant to the exception provided in proposed Sec. 716.9. 
Under that exception, a credit union must comply with certain 
requirements before disclosing information to a nonaffiliated third 
party. Given that the statute and proposed rules impose those 
requirements on credit unions making the initial disclosure, NCUA 
invites comment on whether subsequent disclosures by the third party 
could satisfy the requirement that those disclosures be lawful when the 
credit union is not party to the subsequent disclosure.

[[Page 10998]]

Section 716.13  Limits on Sharing of Account Number Information for 
Marketing Purposes

    Section 502(d) of the GLB Act prohibits a financial institution 
from disclosing, other than to a consumer reporting agency, an account 
number or similar form of access number or access code for a credit 
card account, deposit account, or transaction account of a consumer to 
any nonaffiliated third party for use in telemarketing, direct mail 
marketing, or other marketing through electronic mail to the consumer. 
Proposed Sec. 716.13 restates this statutory prohibition with minor 
stylistic changes intended to make the rule easier to read.
    NCUA notes that there is no exception in Title V to the flat 
prohibition established by section 502(d). The Statement of Managers 
contained in the Conference Report to S. 900 encourages the Agencies to 
adopt an exception to section 502(d) to permit disclosures of account 
numbers in limited instances. It states--

    In exercising their authority under section 504(b) [which vests 
the Agencies with authority to grant exceptions to section 502(a)-
(d) beyond those set out in the statute], the agencies and 
authorities described in section 504(a)(1) may consider it 
consistent with the purposes of this subtitle to permit the 
disclosure of customer account numbers or similar forms of access 
numbers or access codes in an encrypted, scrambled, or similarly 
coded form, where the disclosure is expressly authorized by the 
customer and is necessary to service or process a transaction 
expressly requested or authorized by the customer.

    NCUA, like the other Agencies, has not included an exception to the 
prohibition of section 502(d) in the proposed rules, however, because 
of concerns about the potential for abuse that exists when someone 
other than a credit union is able to access a consumer's account.
    NCUA seeks comment on whether section 502(d) prohibits the 
disclosure by a credit union to a marketing firm of encrypted account 
numbers if the credit union does not provide the marketer the key to 
decrypt the number, and on whether an exception to the section 502(d) 
prohibition could avoid creating the risks that may arise when a third 
party is provided access to a consumer's account. NCUA also seeks 
comment on whether a flat prohibition as set out in section 502(d) 
might unintentionally disrupt routine, unobjectionable practices, such 
as the disclosure of account numbers to a service provider who handles 
the preparation and distribution of monthly checking account statements 
for a credit union coupled with a request by the institution that the 
service provider include literature with the statement about a product. 
In addition, NCUA invites comment on whether a consumer ought to be 
able to consent to the disclosure of his or her account number 
notwithstanding the general prohibition in section 502(d) and, if so, 
what standards should apply.

Section 716.14  Protection of Fair Credit Reporting Act

    Section 506 makes several amendments to the FCRA to vest rulemaking 
authority in various agencies and to restore the Agencies' regular 
examination authority. Paragraph (c) of section 506 states that, except 
for the amendments noted regarding rulemaking authority, nothing in 
Title V is to be construed to modify, limit, or supersede the operation 
of the FCRA, and no inference is to be drawn on the basis of the 
provisions of Title V whether information is transaction or experience 
information under section 603 of the FCRA.
    Proposed Sec. 716.14 implements section 506(c) of the GLB Act by 
restating the statute, making only minor stylistic changes intended to 
make the rule clearer.

Section 716.15  Relation to State Laws

    Section 507 of the GLB Act states, in essence, that Title V does 
not preempt any state law that provides greater protections than are 
provided by Title V. Determinations of whether a state law or Title V 
provides greater protections are to be made by the Federal Trade 
Commission (FTC) after consultation with the agency that regulates 
either the party filing a complaint or the credit union about whom the 
complaint was filed. Determinations of whether state or federal law 
afford greater protections may be initiated by any interested party or 
on the FTC's own motion.
    Proposed Sec. 716.15 is substantively identical to section 507, 
noting that the proposed rules (as opposed to the statute) do not 
preempt state laws that provide greater protection for consumers than 
does the regulation.

Section 716.16  Effective Date; Transition Rule

    Section 510 of the GLB Act states that, as a general rule, the 
relevant provisions of Title V take effect 6 months after the date on 
which rules are required to be prescribed. However, section 510(1) 
authorizes the Agencies to prescribe a later date in the rules enacted 
pursuant to section 504. The provisions in sections 504 and 506 that 
vest various agencies with rulemaking authority have been effective as 
of the date on which the GLB Act was enacted, namely, November 12, 
1999.
    Proposed Sec. 716.16 states, in paragraph (a), an effective date of 
November 13, 2000. This assumes that a final rule will be enacted 
within the time frame prescribed by section 504(a)(3). NCUA intends to 
provide at least six months following the enactment of a final rule for 
credit unions to bring their policies and procedures into compliance 
with the requirements of the final rule. NCUA invites comment on 
whether six months following adoption of final rules is sufficient to 
enable credit unions to comply with the rules.
    Paragraph (b) of proposed Sec. 716.16 provides a transition rule 
for consumers who were members or nonmember customers as of the 
effective date of the rules. Those member or nonmember customer 
relationships already will have been established as of the effective 
date so, the rules require that the initial notice be provided within 
30 days of the effective date. NCUA invites comment on whether 30 days 
is enough time to permit a credit union to deliver the required 
notices, bearing in mind that the GLB Act contemplates at least a six-
month delayed effective date from the date the rules are adopted.
    If a credit union intends to disclose nonpublic personal 
information about someone who was a consumer before the effective date 
but who has not obtained any financial product or service from the 
credit union since then, it must first provide the notices required by 
Secs. 716.4 and 716.7 and provide a reasonable opportunity to opt out.
    If, in this instance, the credit union already is disclosing 
information about such a consumer, it may continue to do so without 
interruption until the consumer opts out, in which case the credit 
union must stop disclosing nonpublic personal information about that 
consumer to nonaffiliated third parties as soon as reasonably 
practicable.

Section 741.220  Privacy of Consumer Financial Information

    This provision requires all federally-insured credit unions to 
adhere to the provisions in part 716.

III. Regulatory Procedures

A. Paperwork Reduction Act

    NCUA invites comment on:
    (1) Whether the collections of information in the proposed 12 CFR 
part 716 are necessary for the proper performance of NCUA's functions, 
including whether the information has practical utility;

[[Page 10999]]

    (2) The accuracy of NCUA's estimate of the burden of the 
information collections;
    (3) Ways to enhance the quality, utility, and clarity of the 
information NCUA must collect under this regulation;
    (4) Ways to minimize the burden of the information collections on 
credit unions, including the use of automated collection techniques or 
other forms of information technology; and
    (5) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.
    Recordkeepers are not required to respond to this collection of 
information unless it displays a currently valid Office of Management 
and Budget (OMB) control number. NCUA is currently requesting a control 
number for this information collection from OMB.
    This proposed regulation contains several disclosure requirements. 
Credit unions must prepare and provide the initial notice to all 
current members and nonmember customers and all new members and 
nonmember customers upon the commencement of a member or nonmember 
customer relationship. 12 CFR 716.4(a). Subsequently, credit unions 
must provide an annual notice to all members and nonmember customers at 
least once during a twelve-month period during the continuation of the 
member or nonmember customer relationship. 12 CFR 716.5(a). The credit 
union must provide the consumer with the opt out notice (and partial 
opt out notice, if applicable (see 12 CFR 716.7(a)(1)(iii)) prior to 
disclosing nonpublic personal information to certain nonaffiliated 
third parties. If a credit union wishes to disclose information in a 
way that is inconsistent with the notices previously given to a 
consumer, the credit union must provide consumers with revised notices. 
12 CFR 716.8(c)).
    This proposed regulation contains consumer reporting requirements. 
In order for consumers to invoke their right to opt out, they must 
respond to the credit union's opt out notice. 12 CFR 716.7(a)(2), 
(3)(i), and (c). The consumer has the right to change or update their 
opt out status with the credit union at any time. 12 CFR 716.8(d) and 
(e).
    NCUA requests public comment on all aspects of the collections of 
information contained in this proposed rule, including consumer 
responses to the opt out notice and consumer changes to their opt out 
status with a credit union. In light of the uncertainty regarding what 
credit unions will do to comply with the opt out requirements and how 
consumers will react, NCUA estimates a nominal burden stemming from 
consumer responses of one hour per credit union, and will revisit this 
estimate in light of the comments NCUA receives.
    NCUA will submit the collection of information requirements 
contained in the regulation to the OMB in accordance with the Paperwork 
Reduction Act of 1995. 44 U.S.C. 3507. The NCUA will use any comments 
received to develop its new burden estimates. Comments on the 
collections of information should be sent to Office of Management and 
Budget, Reports Management Branch, New Executive Office Building, Room 
10202, Washington, DC 20503; Attention: Alex T. Hunt, Desk Officer for 
NCUA. Please send NCUA a copy of any comments you submit to OMB.
    The likely respondents are federally-insured credit unions.
    Estimated number of respondents: 10,627.
    Estimated average annual burden hours per respondent: 45 hours.
    Estimated total annual disclosure and recordkeeping burden: 
478,215.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act requires NCUA either to prepare an 
initial regulatory flexibility analysis (IRFA) with this proposed rule 
or certify that the proposed rule would not have a significant economic 
impact on a substantial number of small credit unions. For purposes of 
the Regulatory Flexibility Act and in accordance with NCUA's authority 
under 5 U.S.C. 601(4), NCUA has determined that small credit unions are 
those with less than one million dollars in assets. See 12 CFR 
791.8(a). NCUA cannot at this time determine whether the proposed rule 
would have a significant economic impact on a substantial number of 
small credit unions. Therefore, NCUA includes the following IRFA.
    The supplementary material above contains a description of the 
reasons why NCUA is considering action and a statement of the 
objectives of, and legal basis for, the proposed rule. NCUA's proposed 
rule will apply to approximately 1,626 small credit unions, out of a 
total of approximately 10,627 federally-insured credit unions.
    Overlap with other federal rules. While the scope of the proposed 
regulation (pursuant to the GLB Act) is unique, it may, in certain 
circumstances, overlap with the following statutes and regulations:
    1. The Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)) requires a 
credit union that (i) does not want to be treated as a consumer 
reporting agency and (ii) desires to share certain consumer information 
(that is, application or credit report information) with its 
affiliates, to provide the consumer with a clear and conspicuous notice 
and an opportunity to opt out of such information sharing.
    2. At the time a consumer contracts for an electronic fund transfer 
service, the Electronic Funds Transfer Act (15 U.S.C. 1693c(a)(9)) 
requires the credit union to disclose the terms and conditions of the 
transfer, including under what circumstances the credit union will in 
the ordinary course of business disclose information concerning the 
consumer's account to third persons.
    3. The recently proposed Department of Health and Human Services 
regulations that implement the Health Insurance Portability and 
Accountability Act of 1996 (42 U.S.C. 3120d-1 et seq.) would, if 
adopted in final form, limit the circumstances under which medical 
information may be disclosed. 64 FR 59918 (Nov. 3, 1999).
    4. The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 
6502) (under which the NCUA must enforce the Federal Trade Commission's 
implementing regulations) generally requires online service operators 
collecting personal information from a child to obtain parental consent 
and post a privacy notice on the web site.
    New compliance requirements. The proposed rule contains new 
compliance requirements for credit unions, most of which are required 
by the GLB Act. The credit unions will be required to prepare notices 
of their privacy policies and practices and provide those notices to 
consumers as the rule specifies. Credit unions that disclose nonpublic 
personal information about consumers to nonaffiliated third parties 
will be required to provide opt out notices to consumers as well as a 
reasonable opportunity to opt out of certain disclosures. Credit unions 
will have to develop systems for keeping track of consumers' opt out 
directions. Some credit unions, particularly those that decide to 
disclose nonpublic information about consumers to nonaffiliated third 
parties, will likely need the advice of legal counsel to ensure that 
they comply with the rule, and may also require computer programming 
changes and additional staff training. NCUA does not have a practicable 
or reliable basis for quantifying the costs of the proposed rule or any 
alternatives, but seeks comment on the potential costs.
    Exemptions for small credit unions. NCUA seeks comment on whether 
the

[[Page 11000]]

requirements of the Act and this rule will create additional burden for 
small credit unions, particularly those that disclose nonpublic 
personal information about consumers to nonaffiliated third parties. 
The rule applies to all federally-insured credit unions, regardless of 
size. The Act does not provide NCUA with the authority to exempt a 
small credit union from the requirement to provide a notice of its 
privacy policies and practices to a consumer with whom it establishes a 
member or nonmember customer relationship. Although NCUA could exempt 
small credit unions from providing a notice and opportunity for 
consumers to opt out of certain information disclosures, NCUA does not 
believe that such an exemption would be appropriate, given the purpose 
of the Act to protect the confidentiality and security of nonpublic 
personal information about consumers. NCUA believes that the burden is 
relatively small for credit unions that do not disclose nonpublic 
personal information about consumers to nonaffiliated third parties. 
These credit unions may provide relatively simple initial and annual 
notices to consumers with whom they establish member or nonmember 
customer relationships.
    NCUA recognizes that the Congressional Conferees on the Act wished 
to ensure that smaller financial institutions are not placed at a 
competitive disadvantage by a statutory regime that permits certain 
information to be shared freely within an affiliate structure while 
limiting the ability to share that same information with nonaffiliated 
third parties. The Conferees stated that, in prescribing regulations, 
the federal regulatory agencies should take into consideration any 
adverse competitive effects upon small commercial banks, thrifts, and 
credit unions. See H.R. Conf. Rep. No. 106-434, at 173 (1999). At this 
time, it is not clear if information-sharing among affiliates in large 
institutional entities will place small credit unions at a 
disadvantage. NCUA believes that further experience under the 
regulation would be appropriate before considering any exemptions in 
this area for small credit unions.
    NCUA requests comment on the burdens associated with the proposed 
rule and whether any exemptions for small credit unions would be 
appropriate.

C. Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their regulatory actions on state and local 
interests. In adherence to fundamental federalism principles, NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. This proposed rule, if 
adopted, will apply to all federally-insured credit unions, but it will 
not have substantial direct effects on the states, on the relationship 
between the national government and the states, or on the distribution 
of power and responsibilities among the various levels of government. 
Section 507 of the GLB Act states that state law may provide greater 
consumer protections than this proposed rule. In that event, federal 
law would not preempt state law. NCUA has determined the proposed rule 
does not constitute a policy that has federalism implications for 
purposes of the Executive order.

D. The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families

    NCUA has determined that the proposed rule will not affect family 
well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 
2681 (1998).

IV. Agency Regulatory Goal

    NCUA's goal is clear, understandable regulations that impose 
minimal regulatory burden. We request your comments on whether the 
proposed amendment is understandable and minimally intrusive if 
implemented as proposed.

List of Subjects

12 CFR Part 716

    Consumer protection, Credit unions, Privacy, Reporting and 
recordkeeping requirements.

12 CFR Part 741

    Bank deposit insurance, Credit Unions, Reporting and recordkeeping 
requirements.

    By the National Credit Union Administration Board on February 
24, 2000.
Becky Baker,
Secretary of the Board.


    For the reasons set out in the preamble, it is proposed that 12 CFR 
chapter VII be amended by adding a new part 716 to read as follows:

PART 716--PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
716.1  Purpose and scope.
716.2  Rule of construction.
716.3  Definitions.
716.4  Initial notice to consumers of privacy policies and practices 
required.
716.5  Annual notice to customers required.
716.6  Information to be included in initial and annual notices of 
privacy policies and practices.
716.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.
716.8  Form and method of providing opt out notice to consumers.
716.9  Exception to opt out requirements for service providers and 
joint marketing.
716.10  Exceptions to notice and opt out requirements for processing 
and servicing transactions.
716.11  Other exceptions to notice and opt out requirements.
716.12  Limits on redisclosure and reuse of information.
716.13  Limits on sharing of account number information for 
marketing purposes.
716.14  Protection of Fair Credit Reporting Act.
716.15  Relation to state laws.
716.16  Effective date; transition rule.

    Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 1751 et seq.


Sec. 716.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the credit unions listed in paragraph 
(b) of this section. This part:
    (1) Requires a credit union to provide notice to consumers about 
its privacy policies and practices;
    (2) Describes the conditions under which a credit union may 
disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a credit union from 
disclosing that information to nonaffiliated third parties by ``opting 
out'' of that disclosure, subject to the exceptions in Secs. 716.9, 
716.10, 716.11.
    (b) Scope. The rules in this part apply only to nonpublic personal 
information about individuals who obtain financial products or services 
for personal, family or household purposes. This part does not apply to 
information about companies or about individuals who obtain financial 
products or services for business purposes. This part applies to 
federally-insured credit unions. This part refers to a federally-
insured credit union as ``you'' or ``the credit union.''


Sec. 716.2  Rule of construction.

    The examples in this part are not exclusive. Compliance with an 
example, to the extent applicable, constitutes compliance with this 
part.


Sec. 716.3  Definitions.

    As used in this part, unless the context requires otherwise:

[[Page 11001]]

    (a)(1) Affiliate means any company that controls, is controlled by, 
or is under common control with another company.
    (2) Examples. (i) An affiliate of a federal credit union is a 
credit union service organization (CUSO), as provided in 12 CFR part 
712, that is controlled by the federal credit union.
    (ii) An affiliate of a federally-insured state-chartered credit 
union is a company that is controlled by the credit union.
    (b)(1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice.
    (2) Examples. (i) You make your notice reasonably understandable if 
you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short explanatory sentences and bullet lists, whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice, 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology; and
    (F) Avoid boilerplate explanations that are imprecise and readily 
subject to different interpretations.
    (ii) You design your notice to call attention to the nature and 
significance of the information contained in it if, to the extent 
applicable, you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read; and
    (C) Provide wide margins and ample line spacing.
    (iii) If you provide a notice on the same form as another notice or 
other document, you design your notice to call attention to the nature 
and significance of the information contained in the notice if you use:
    (A) Larger type size(s), boldface or italics in the text;
    (B) Wider margins and line spacing in the notice; or
    (C) Shading or sidebars to highlight the notice, whenever possible.
    (c) Collect means to obtain information that is organized or 
retrievable on a personally identifiable basis, irrespective of the 
source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you, that is to be used primarily for 
personal, family or household purposes, and that individual's legal 
representative.
    (2) Examples. (i) An individual who provides nonpublic personal 
information to you in connection with obtaining or seeking to obtain 
credit union membership is your consumer regardless of whether you 
establish a member relationship.
    (ii) An individual who provides nonpublic personal information to 
you in connection with using your ATM is your consumer.
    (iii) An individual is not your consumer solely because you process 
information about the individual on behalf of a financial institution 
that extends credit to the individual.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as determined 
by the National Credit Union Administration. With respect to state-
chartered credit unions, NCUA will consult with the appropriate state 
regulator prior to making its determination.
    (h) Credit union means a federal or state-chartered credit union 
that the National Credit Union Share Insurance Fund insures.
    (i) Customer means a consumer who has a customer relationship with 
you.
    (j)(1) Customer relationship means a continuing relationship 
between a consumer and you under which you provide one or more 
financial products or services to the consumer that are to be used 
primarily for personal, family or household purposes.
    (2) Examples. (i) A consumer has a customer relationship with you 
if the consumer:
    (A) Is your member;
    (B) Is a nonmember who has a share, share draft, or credit card 
account with you jointly with a member;
    (C) Is a nonmember who has a loan that you own or service;
    (D) Is a nonmember who has an account with you and you are a credit 
union that has been designated as a low-income credit union;
    (E) Is a nonmember who has an account in a federally-insured state-
chartered credit union pursuant to state law.
    (ii) A consumer does not, however, have a customer relationship 
with you if the consumer is a nonmember and:
    (A) The consumer only obtains a financial product or service in an 
isolated transaction, such as withdrawing cash from your ATM or 
purchasing travelers checks; or
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan.
    (k)(1) Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activity as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (l)(1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation, brokerage or 
distribution of information that you collect in connection with a 
request or an application from a consumer for a financial product or 
service.
    (m) Government regulator means-
    (1) The National Credit Union Administration Board;
    (2) The Board of Governors of the Federal Reserve System;
    (3) The Office of the Comptroller of the Currency;
    (4) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (5) The Director of the Office of Thrift Supervision;
    (6) The Securities and Exchange Commission;

[[Page 11002]]

    (7) The Secretary of the Treasury, with respect to 31 U.S.C. 
Chapter 53, Subchapter II (Records and Reports on Monetary Instruments 
and Transactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping);
    (8) A state insurance authority, with respect to any person 
domiciled in that insurance authority's state that is engaged in 
providing insurance; and
    (9) The Federal Trade Commission.
    (n) Nonaffiliated third party means any person except:
    (1) Your affiliate; or
    (2) A person employed jointly by you and any company that is not 
your affiliate. The other company that jointly employs the person would 
still be a nonaffiliated third party.
    (o)(1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include any list, 
description, or other grouping of consumers (and publicly available 
information pertaining to them) that is derived without using any 
personally identifiable financial information.
    (3) Example. Nonpublic personal information includes any list of 
individuals' street addresses and telephone numbers that is derived 
using any information consumers provide to you on an application for a 
financial product or service.
    (p)(1) Personally identifiable financial information means any 
information:
    (i) Provided by a consumer to you to obtain a financial product or 
service from you;
    (ii) Resulting from any transaction involving a financial product 
or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer, other than 
publicly available information.
    (2) Examples. (i) Personally identifiable financial information 
includes:
    (A) Information a consumer provides to you on an application to 
obtain a loan, credit card, insurance or other financial product or 
service, including, among other things, medical information;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your 
customers or has obtained a financial product or service from you, 
unless that fact is derived using only publicly available information, 
such as government real estate records or bankruptcy records;
    (D) Other information about your consumer if it is disclosed in a 
manner that indicates the individual is or has been your consumer;
    (E) Any information provided by a consumer or otherwise obtained by 
you or your agent in connection with collecting on a loan or servicing 
a loan; and
    (F) Information from a consumer report.
    (ii) Personally identifiable financial information does not include 
a list of names and addresses of customers of an entity that is not a 
financial institution.
    (q)(1) Publicly available information means any information 
lawfully made available to the general public obtained from:
    (i) Federal, state or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public required to be made by 
federal, state or local law.
    (2) Examples.
    (i) Government records. Publicly available information contained in 
government records includes information contained in government real 
estate records and security interest filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or an Internet site that is 
available to the general public without requiring a password or similar 
restriction.
    (r) You means a federally-insured credit union.


Sec. 716.4  Initial notice to consumers of privacy policies and 
practices required.

    (a) When initial notice is required. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to:
    (1) An individual who becomes your customer, prior to the time that 
you establish a customer relationship, except as provided in paragraph 
(d)(2) of this section; and
    (2) A consumer, prior to the time that you disclose any nonpublic 
personal information about the consumer to any nonaffiliated third 
party, if you make such a disclosure other than as authorized by 
Secs. 716.10 and 716.11.
    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph 
(a)(2) of this section if:
    (1) You do not disclose any nonpublic personal information about 
the consumer to any nonaffiliated third party, other than as authorized 
by Secs. 716.10 and 716.11; and
    (2) You do not have a member or nonmember customer relationship 
with the consumer.
    (c) When you establish a customer relationship.
    (1) General rule. You establish a customer relationship at the time 
you and the consumer enter into a continuing relationship.
    (2) Examples. You establish a customer relationship when the 
consumer:
    (i) Becomes your member;
    (ii) Is a nonmember and opens a credit card account with you 
jointly with a member under your procedures;
    (iii) Is a nonmember and executes the contract to open a share or 
share draft account with you or obtain credit from you, jointly with a 
member;
    (iv) Is a nonmember and opens an account with you and you are a 
credit union designated as a low-income credit union;
    (v) Is a nonmember and opens an account with you pursuant to state 
law and you are a state-chartered credit union.
    (d) How to provide notice.
    (1) General Rule. You must provide the privacy notice required by 
paragraph (a) of this section so that each consumer can reasonably be 
expected to receive actual notice in writing or, if the consumer 
agrees, in electronic form.
    (2) Exceptions to allow subsequent delivery of notice. You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a customer relationship 
if:
    (i) You purchase a loan from another financial institution and the 
customer of that loan does not have a choice about your purchase; or
    (ii) You and the consumer orally agree to enter into a customer 
relationship and the consumer agrees to receive the notice thereafter.
    (3) Oral description of notice insufficient. You may not provide 
the initial notice required by paragraph (a) of this section solely by 
orally explaining your privacy policies and practices in person or over 
the telephone.
    (4) Retention or accessibility of initial notice for members and 
nonmember customers. For customers only, you must provide the initial 
notice required by paragraph (a)(1) of this section so that it can be 
retained or obtained at a

[[Page 11003]]

later time by the customer, in a written form or, if the customer 
agrees, in electronic form.
    (5) Examples. (i) You may reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Hand-deliver a printed copy of the notice to the consumer;
    (B) Mail a printed copy of the notice to the last known address of 
the consumer;
    (C) For the consumer who conducts transactions electronically, post 
the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (D) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (ii) You may not, however, reasonably expect that a consumer will 
receive actual notice of your privacy policies and practices if you:
    (A) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices;
    (B) Send the notice via electronic mail to a consumer who obtains a 
financial product or service with you in person or through the mail and 
who does not agree to receive the notice electronically.
    (iii) You provide the initial privacy notice to the customer so 
that it can be retained or obtained at a later time if you:
    (A) Hand-deliver a printed copy of the notice to the customer;
    (B) Mail a printed copy of the notice to the last known address of 
the customer upon request of the customer;
    (C) Maintain the notice on a web site (or a link to another web 
site) for the customer who obtains a financial product or service 
electronically and who agrees to receive the notice electronically.


Sec. 716.5  Annual notice to customers required.

    (a) General rule. You must provide a clear and conspicuous notice 
to customers that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the 
customer relationship. Annually means at least once in any period of 
twelve consecutive months during which that relationship exists.
    (b) How to provide notice. You must provide the annual notice 
required by paragraph (a) of this section to a customer using a means 
permitted for providing the initial notice to that customer under 
Sec. 716.4(d).
    (c)(1) Termination of member or nonmember customer relationship. 
You are not required to provide an annual notice to an individual with 
whom you no longer have a continuing relationship.
    (2) Examples. You no longer have a continuing relationship with an 
individual if:
    (i) the individual is no longer your member and is not a nonmember 
customer;
    (ii) In the case of a nonmember's share or share draft account, the 
account is dormant under the credit union's policies;
    (iii) In the case of a nonmember's closed-end loan, the loan is 
paid in full, you charge off the loan, or you sell the loan without 
retaining servicing rights;
    (iv) In the case of a credit card relationship or other open-end 
credit relationship with a nonmember, you no longer provide any 
statements or notices to the nonmember concerning that relationship or 
you sell the credit card receivables without retaining servicing 
rights; or
    (v) For other types of relationships with nonmembers, you have not 
communicated with the nonmember about the relationship for a period of 
twelve consecutive months, other than to provide annual notices of 
privacy policies and practices.


Sec. 716.6  Information to be included in initial and annual notices of 
privacy policies and practices.

    (a) General rule. The initial and annual notices about your privacy 
policies and practices under Secs. 716.4 and 716.5 must include each of 
the following items of information:
    (1) The categories of nonpublic personal information that you 
collect;
    (2) The categories of nonpublic personal information that you 
disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information, other than those 
parties to whom you disclose information under Secs. 716.10 and 716.11;
    (4) The categories of nonpublic personal information about your 
former customers that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose it, other than those 
parties to whom you disclose information under Secs. 716.10 and 716.11;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 716.9 (and no other exception 
applies to that disclosure), a separate description of the categories 
of information you disclose and the categories of third parties with 
whom you have contracted;
    (6) An explanation of the right under Sec. 716.8(a) of the consumer 
to opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (i.e., 
notices regarding the ability to opt out of affiliate information 
sharing); and
    (8) Your policies and practices with respect to protecting the 
confidentiality, security and integrity of nonpublic personal 
information.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information about a 
consumer to third parties as authorized under Secs. 716.10 and 716.11, 
you are not required to list those exceptions in the initial or annual 
privacy notices required by Secs. 716.4 and 716.5. When describing the 
categories with respect to those parties, you are only required to 
state that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
you reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (d) Examples.
    (1) Categories of nonpublic personal information that you collect. 
You adequately categorize the nonpublic personal information you 
collect if you categorize it according to the source of the 
information, such as application information, information about 
transactions (such as information regarding your share, loan, or credit 
card account), and credit reports.
    (2) Categories of nonpublic personal information you disclose. You 
adequately categorize nonpublic personal information you disclose if 
you categorize it according to source, and provide a few illustrative 
examples of the content of the information. These might include 
application information, such as assets and income; identifying 
information, such as name, address, and social security number; and 
transaction information, such as information about

[[Page 11004]]

account balance, payment history, counterparties and credit card usage; 
and information from credit reports, such as a consumer's 
creditworthiness and credit history. You do not adequately categorize 
the information that you disclose if you use only general terms, such 
as transaction information about the consumer.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You adequately categorize the affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information about consumers if you identify the types of businesses 
that they engage in. Types of businesses may be described by general 
terms only if you use a few illustrative examples of significant lines 
of business. For example, you may use the term financial products or 
services if you include appropriate examples of significant lines of 
businesses, such as mortgage lending, life insurance, or securities 
brokerage. You also may categorize the affiliates and nonaffiliated 
third parties to whom you disclose nonpublic personal information about 
consumers using more detailed categories.
    (4) Simplified notices. If you do not disclose, and do not intend 
to disclose, nonpublic personal information to affiliates or 
nonaffiliated third parties, you may simply state that fact, in 
addition to the information you must provide under paragraphs (a)(1), 
(a)(8)and (b) of this section.
    (5) Confidentiality, security and integrity. You describe your 
policies and practices with respect to protecting the confidentiality 
and security of nonpublic personal information if you explain who has 
access to the information and the circumstances under which the 
information may be accessed. You describe your policies and practices 
with respect to protecting the integrity of nonpublic personal 
information if you explain measures you take to protect against 
reasonably anticipated threats or hazards. You are not required to 
describe technical information about the safeguards you use.


Sec. 716.7  Limitation on disclosure of nonpublic personal information 
about consumers to nonaffiliated third parties.

    (a)(1) Conditions for disclosure. Except as otherwise authorized in 
this part, you may not, directly or through any affiliate, disclose any 
nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 716.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 716.8;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 716.9, 716.10 and 716.11.
    (3) Examples of reasonable opportunity to opt out.
    (i) By mail. You provide a consumer with whom you have a customer 
relationship with a reasonable opportunity to opt out if you mail the 
notices required in paragraph (a)(1) to this section to the consumer 
and allow the consumer a reasonable period of time, such as 30 days, to 
opt out.
    (ii) Isolated transaction with consumer. For an isolated 
transaction, such as the purchase of a traveler's check by a consumer, 
you provide a reasonable opportunity to opt out if you provide the 
consumer with the required notices at the time of the transaction and 
request that the consumer decide, as a necessary part of the 
transaction, whether to opt out before completing the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information.
    (1) This section applies regardless of whether you and the consumer 
have established a customer relationship.
    (2) Unless you comply with this section, you may not, directly or 
through an affiliate, disclose any nonpublic personal information about 
a consumer that you have collected, regardless of whether you collected 
it before or after receiving the direction to opt out from the 
consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 716.8  Form and method of providing opt out notice to consumers.

    (a)(1) Form of opt out notice. You must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under Sec. 716.7(a)(1). The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples.
    (i) You provide adequate notice that the consumer can opt out of 
the disclosure of nonpublic personal information to a nonaffiliated 
third party if you identify all of the categories of nonpublic personal 
information that you disclose or reserve the right to disclose to 
nonaffiliated third parties as described in Sec. 716.6 and state that 
the consumer can opt out of the disclosure of that information.
    (ii) You provide a reasonable means to exercise an opt out right if 
you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a detachable, pre-addressed form or self-addressed, 
stamped reply form together with the opt out notice; or
    (C) Provide an electronic means to opt out, such as a form that can 
be sent via electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information.
    (b) How to provide opt out notice.
    (1) Delivery of notice. You must provide the opt out notice 
required by paragraph (a) of this section in a manner so that each 
consumer can reasonably be expected to receive actual notice in writing 
or, if the consumer agrees, in electronic form. If you and the consumer 
orally agree to enter into a member or nonmember customer relationship, 
you may provide the opt out notice required by paragraph (a) of this 
section within a reasonable time thereafter if the consumer agrees.
    (2) Oral description of opt out right insufficient. You may not 
provide the opt out notice solely by orally explaining, either in 
person or over the telephone, the right of the consumer to opt out.
    (3) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 716.4.
    (4) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice at a 
later time than required for the initial notice in accordance with 
Sec. 716.4, you must also include a copy of the initial notice in 
writing or, if the consumer agrees, in an electronic form with the opt 
out notice.
    (c) Notice of change in terms.
    (1) General rule. Except as otherwise authorized in this part, you 
must not,

[[Page 11005]]

directly or through any affiliate, disclose any nonpublic personal 
information about a consumer to a nonaffiliated third party other than 
as described in the initial notice that you provided to the consumer 
under Sec. 716.4, unless:
    (i) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (ii) You have provided to the consumer a new opt out notice;
    (iii) You have given the consumer a reasonable opportunity, before 
the time that you disclose the information to the nonaffiliated third 
party, to opt out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) How to provide notice of change in terms. You must provide the 
revised notice of your policies and practices and opt out notice to a 
consumer using the means permitted for providing the initial notice and 
opt out notice to that consumer under Sec. 716.4(d) or Sec. 716.8(b), 
respectively.
    (3) Examples.
    (i) Except as otherwise permitted by Secs. 716.9, 716.10 and 
716.11, a change-in-terms notice is required if you--
    (A) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party; or
    (B) Disclose nonpublic personal information to a new category of 
nonaffiliated third party.
    (ii) A change-in-terms notice is not required if you disclose 
nonpublic personal information to a new nonaffiliated third party that 
is adequately described by your prior notice.
    (d) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time, and you must comply with the consumer's 
direction promptly.
    (e) Duration of consumer's opt out direction. A consumer's 
direction to opt out under this section is effective until revoked by 
the consumer in writing, or if the consumer has agreed to accept 
notices in electronic form.


Sec. 716.9  Exception to opt out requirements for service providers and 
joint marketing.

    (a) General rule. The opt out requirements in Secs. 716.7 and 716.8 
do not apply when you provide nonpublic personal information to a 
nonaffiliated third party to perform services for you or functions on 
your behalf, if you:
    (1) Provide the initial notice in accordance with Sec. 716.4; and
    (2) Enter into a contractual agreement with the third party that--
    (i) Requires the third party to maintain the confidentiality of the 
information to at least the same extent that you must maintain that 
confidentiality under this part; and
    (ii) Limits the third party's use of information you disclose 
solely to the purposes for which the information is disclosed or as 
otherwise permitted by Secs. 716.10 and 716.11 of this part.
    (b) Service may include joint marketing. The services performed for 
you by a nonaffiliated third party under paragraph (a) may include 
marketing of your own products or services or marketing of financial 
products or services offered pursuant to joint agreements between you 
and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 716.10  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 716.4(a)(2), the opt out in 
Secs. 716.7 and 716.8 and service providers and joint marketing in 
Sec. 716.9 do not apply if you disclose nonpublic personal information:
    (1) As necessary to effect, administer, or enforce a transaction 
requested or authorized by the consumer;
    (2) To service or process a financial product or service requested 
or authorized by the consumer;
    (3) To maintain or service the consumer's account with you, or with 
another entity as part of a private label credit card program or other 
extension of credit on behalf of such entity; or
    (4) In connection with a proposed or actual securitization, 
secondary market sale (including sales of servicing rights) or similar 
transaction related to a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service or maintain the 
consumer's account in the ordinary course of providing the financial 
service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) To underwrite insurance at the consumer's request or for 
reinsurance purposes, or for any of the following purposes as they 
relate to a consumer's insurance: Account administration, reporting, 
investigating, or preventing fraud or material misrepresentation, 
processing premium payments, processing insurance claims, administering 
insurance benefits (including utilization review activities), 
participating in research projects, or as otherwise required or 
specifically permitted by federal or state law;
    (vi) In connection with settling a transaction, including:
    (A) The authorization, billing, processing, clearing, transferring, 
reconciling or collection of amounts charged, debited, or otherwise 
paid using a debit, credit or other payment card, check or account 
number, or by other payment means;
    (B) The transfer of receivables, accounts or interests therein; or
    (C) The audit of debit, credit or other payment information.


Sec. 716.11  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 716.4(a)(2), the opt out in 
Secs. 716.7 and 716.8 and service providers and joint marketing in 
Sec. 716.9 do not apply when you disclose nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2)(i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations,

[[Page 11006]]

guaranty funds or agencies, agencies that are rating you, persons that 
are assessing your compliance with industry standards, and your 
attorneys, accountants, and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including government regulators), self-regulatory organizations, or 
for an investigation on a matter related to public safety;
    (5)(i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq., or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7) (i) To comply with federal, state or local laws, rules and 
other applicable legal requirements;
    (ii) To comply with a properly authorized civil, criminal or 
regulatory investigation, or subpoena or summons by federal, state or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over you for examination, compliance or 
other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. 
    (1) A consumer may specifically consent to your disclosure to a 
nonaffiliated insurance company of the fact that the consumer has 
applied to you for a mortgage so that the insurance company can offer 
homeowner's insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 716.8(d).


Sec. 716.12  Limits on redisclosure and reuse of information.

    (a) Limits on your redisclosure and reuse. 
    (1) Except as otherwise provided in this part, if you receive 
nonpublic personal information about a consumer from a nonaffiliated 
financial institution, you must not, directly or through an affiliate, 
disclose the information to any other person that is not affiliated 
with either the financial institution or you, unless the disclosure 
would be lawful if the financial institution made it directly to such 
other person.
    (2) You may use nonpublic personal information about a consumer 
that you receive from a nonaffiliated financial institution in 
accordance with an exception under Secs. 716.9, 716.10 or 716.11 only 
for the purpose of that exception.
    (b) Limits on redisclosure and the reuse by other persons. 
    (1) Except as otherwise provided in this part, if you disclose 
nonpublic personal information about a consumer to a nonaffiliated 
third party, that party must not, directly or through an affiliate, 
disclose the information to any other person that is not affiliated 
with either the third party or you, unless the disclosure would be 
lawful if you made it directly to such other person.
    (2) A nonaffiliated third party may use nonpublic personal 
information about a consumer that it receives from you in accordance 
with an exception under Secs. 716.9, 716.10 or 716.11 only for the 
purpose of that exception.


Sec. 716.13  Limits on sharing of account number information for 
marketing purposes.

    You must not, directly or through an affiliate, disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, share 
account or transaction account of a consumer to any nonaffiliated third 
party for use in telemarketing, direct mail marketing or other 
marketing through electronic mail to the consumer.


Sec. 716.14  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 716.15  Relation to state laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order or interpretation 
in effect in any state, except to the extent that such state statute, 
regulation, order or interpretation is inconsistent with the provisions 
of this part, and then only to the extent of the inconsistency.
    (b) Greater protection under state law. For purposes of this 
section, a state statute, regulation, order or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the National 
Credit Union Administration, on the Federal Trade Commission's own 
motion or upon the petition of any interested party.


Sec. 716.16  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000.
    (b) Notice requirement for consumers who were your members or 
nonmember customers on the effective date. No later than thirty days 
after the effective date of this part, you must provide an initial 
notice, as required by Sec. 716.4, to consumers who were your members 
or nonmember customers on the effective date of this part.

PART 741--REQUIREMENTS FOR INSURANCE

    1. The authority citation for part 741 continues to read as 
follows:

    Authority: 12 U.S.C. 1757, 1766, and 1781-1790. Section 741.4 is 
also authorized by 31 U.S.C. 3717.

    2. Add Sec. 741.220 to part 741 to read as follows:


Sec. 741.220  Privacy of consumer financial information.

    Any credit union which is insured pursuant to Title II of the Act 
must adhere to the requirements stated in part 716 of this chapter.

[FR Doc. 00-4814 Filed 2-29-00; 8:45 am]
BILLING CODE 7535-01-P