[Federal Register Volume 65, Number 97 (Thursday, May 18, 2000)]
[Rules and Regulations]
[Pages 31722-31750]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-12014]



[[Page 31721]]

-----------------------------------------------------------------------

Part IV





National Credit Union Administration





-----------------------------------------------------------------------



12 CFR Parts 716 and 741



Privacy of Consumer Financial Information; Requirements for Insurance; 
Final Rule

  Federal Register / Vol. 65, No. 97 / Thursday, May 18, 2000 / Rules 
and Regulations  

[[Page 31722]]


-----------------------------------------------------------------------

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Parts 716 and 741


Privacy of Consumer Financial Information; Requirements for 
Insurance

AGENCY: National Credit Union Administration (NCUA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The NCUA Board is issuing a final privacy rule applicable to 
all federally-insured credit unions, as required by the recently 
enacted Gramm-Leach-Bliley Act (the GLB Act or Act). The final rule 
requires credit unions to have a privacy policy and provide certain 
disclosures and notices to individuals about whom credit unions collect 
nonpublic personal information. It also restricts a credit union's 
ability to disclose nonpublic personal information, including giving 
individuals in some cases an opportunity to opt out of the disclosure. 
In drafting the rule, the NCUA participated as part of an interagency 
group composed of representatives from the NCUA, the Federal Trade 
Commission, the Office of the Comptroller of the Currency, Board of 
Governors of the Federal Reserve System, Federal Deposit Insurance 
Corporation, Office of Thrift Supervision, Secretary of the Treasury, 
and Securities and Exchange Commission (collectively, the Agencies). 
The other Agencies are also required to issue regulations to implement 
the GLB Act. NCUA's final rule takes into account the unique 
circumstances of federally-insured credit unions and their members but 
is comparable and consistent with the regulations of the other Agencies 
as required by the GLB Act.

EFFECTIVE DATE: This rule is effective November 13, 2000. However, 
compliance is not required until July 1, 2001.

ADDRESSES: National Credit Union Administration, 1775 Duke Street, 
Alexandria, Virginia 22314-3428.

FOR FURTHER INFORMATION CONTACT: Mary F. Rupp or Regina M. Metz, Staff 
Attorneys, Division of Operations, Office of General Counsel, at the 
above address or telephone: (703) 518-6540.

SUPPLEMENTARY INFORMATION:

I. Background

    On February 24, 2000, NCUA issued a proposed privacy regulation as 
required by the GLB Act. 65 FR 10988, March 1, 2000. The comment period 
for the proposed rule ended March 31, 2000. Ninety-nine comments were 
received on the proposal, 26 from natural person credit unions; two 
from corporate credit unions; four from national credit union trade 
associations; 20 from state credit union leagues; one from a credit 
union service organization; one from the Congressional Privacy Caucus; 
five from law firms; seven from insurance companies; three from banks; 
two from federal agencies; 13 from businesses; one from a special 
interest group; one from a private party; and 13 from miscellaneous 
trade groups.
    As required by the GLB Act, the NCUA has consulted with the other 
Agencies to ensure that its final rule is consistent and comparable 
with the final rules of the other Agencies. However, the NCUA's rule 
takes into account the comments received from the credit union 
community. Those commenters asked NCUA to take into account the unique 
nature of credit union structure and operations, particularly, the 
relationship between a credit union and its members and credit unions 
and credit union service organizations (CUSOs).
    NCUA's final rule mirrors the other Agencies' final rules except 
for modifications appropriate to address the different circumstances of 
credit unions such as references to credit unions, CUSOs, members and 
nonmembers. The section-by-section summary of comments that follows 
points out those provisions that differ from the other Agencies' final 
rules. Besides differences in terms or definitions, a significant 
modification is in the use of examples in the rule. All of the 
Agencies' final rules will contain examples to aid understanding. NCUA 
has attempted to use examples pertinent to credit union circumstances 
and, therefore, has changed or deleted some examples used in the other 
Agencies' rule.
    NCUA and the other Agencies are adding subparts to the table of 
contents in the final rule and reorganizing some of the subsections. 
NCUA and the other Agencies are also changing some of the language in 
the section names in the table of contents so that references to 
various notices are consistent with one another. In addition, NCUA and 
the other Agencies are revising various terms so that terminology is 
used consistently in the final rule and changing the passive voice to 
the active voice in several places. In some places, such as Sec. 716.6, 
long provisions are broken into lists. Lastly, NCUA and the other 
Agencies are adding sample clauses as an appendix to the final rule.
    NCUA and the other Agencies are developing examination standards 
and guidelines. A credit union's compliance with this rule will be 
reviewed as part of the regular examination process.

II. Summary of Comments

    The NCUA requested comment on all aspects of the proposed rule as 
well as comment on specific provisions and issues highlighted in the 
proposal. Below is a discussion of the comments and changes to the 
proposal based on the comments. If a provision was not commented on and 
is not being changed in the final rule, the discussion from the 
proposal is not repeated.

Section 716.1  Purpose and Scope

    Proposed paragraph (b) set out the scope of the NCUA rule, stating 
that it applies to all federally-insured credit unions. Section 
505(a)(2) of the GLB Act provides that the NCUA Board has enforcement 
authority for federally-insured credit unions and any subsidiaries. One 
commenter objected to the statement in the proposal that, while CUSOs 
may be considered ``subsidiaries,'' the Federal Credit Union Act does 
not give the NCUA direct regulatory or supervisory authority over 
CUSOs. The commenter states that NCUA should take regulatory 
responsibility for CUSOs so that there is one regulator for all credit 
union activities. In addition to the fact that NCUA does not have 
direct regulatory or supervisory authority over these entities, NCUA's 
position is that CUSOs should be regulated, depending on the type of 
business in which they engage, by the primary regulators for those 
activities. For example, a CUSO engaged in securities brokerage 
activities would be subject to the Securities and Exchange Commission's 
privacy regulation.
    The NCUA Board specifically requested comment on whether it would 
be appropriate to exempt federally-insured corporate credit unions from 
the rule because the membership of corporate credit unions, with the 
exception of a few natural person incorporators, is natural person 
credit unions, not consumers. Twelve of the 13 commenters that 
responded requested that corporates be exempt. The one commenter in 
opposition to exemption was the Congressional Privacy Caucus. Its 
reason for opposing exemption is persuasive, namely that there is no 
authority in the GLB Act for an exemption, and therefore, if a 
corporate has a customer or consumer it should be required to provide 
the appropriate notice.
    The commenters in support of exemption noted that: a corporate 
credit union's only contact with a consumer is

[[Page 31723]]

through a natural person credit union; a corporate is member-owned and 
should be defined as an affiliate of each of its member owners; a 
corporate cannot perform under the burden of having to provide a 
privacy notice directly to natural persons; since the few natural 
person members a corporate may have only maintain a share account and 
receive no other consumer services, the rule should clarify that those 
individuals are not consumers; and, if a corporate receives nonpublic 
personal information about a natural person as part of processing 
member accounts for a natural person credit union, it is required to 
adhere to the ``reuse of information'' limitations in section 502(c)of 
the GLB Act. One commenter notes that a natural person credit union may 
disclose nonpublic personal information to a corporate credit union in 
connection with a proposed or actual securitization of a loan 
portfolio. The commenter incorrectly equates this type of activity with 
``servicing and processing transactions.'' The proposal treated those 
individuals whose loans are purchased by a credit union as customers of 
the credit union. The final rule treats them as consumers, unless the 
credit union is servicing their loan, then they are members/customers. 
Therefore, a corporate credit union's duty to provide notice and an 
opportunity to opt out to individuals whose loans it purchases is only 
triggered if the corporate is servicing the loan or sharing nonpublic 
personal information about the consumers with nonaffiliated third 
parties that are not within an exception.
    The Board agrees with the Congressional Privacy Caucus that it has 
no authority to exempt corporate credit unions. It appears from the 
comments that a corporate credit union will rarely have natural person 
members or customers. Members appear limited to those corporate credit 
unions that have natural person incorporators that maintain a share 
account. Those members are limited in number and so the burden to 
provide initial and annual notices should be minimal. On the other 
hand, corporate credit unions may have consumers. Consistent with the 
interpretation discussed in the Federal Trade Commission's proposal and 
now part of the final rule, the Board does not consider the members of 
a natural person credit union, that itself is a member of a corporate 
credit union, to be the corporate credit union's members or consumers, 
if the corporate credit union merely provides services to the natural 
person credit union. In this case, the corporate credit union may 
receive financial information about the natural person credit union's 
members, but it is only as a result of providing a service to its own 
member credit union. 65 FR 11174, 11177 (March 1, 2000). The final 
rule, consistent with the other Agencies, has added an example to the 
definition of consumer to clarify this. 12 CFR 716.3(e)(2)(iv). In that 
situation, the corporate is governed by the limitations on redisclosure 
in Sec. 716.11.
    NCUA, consistent with the other Agencies, has clarified in its 
final rule that initial notices are always required for customers, now 
defined as members, but not always for consumers by replacing 
``consumer'' with ``member'' in paragraph (a)(1) and relying on 
paragraph (a)(2) to address consumers.
    The final rule adds language to paragraph (b)(1) to clarify that 
commercial or agricultural purposes are included within the business 
purpose exemption. In addition language is added to this paragraph, 
clarifying that nothing in this part modifies, limits or supersedes the 
standards governing certain health information promulgated by the 
Secretary of Health and Human Services under the Health Insurance 
Portability and Accountability Act of 1996.

Section 716.2  Rule of Construction

    Proposed Sec. 716.2 of the rule set out a rule of construction 
intended to clarify the effect of the examples used in the rule. It 
stated that the examples are not exclusive and that compliance with an 
example, to the extent applicable, constituted compliance with the 
rule. A few commenters objected to having the examples in the rule and 
suggested that they be an Appendix to the rule, so that they are not 
misinterpreted as being part of the regulation. An equal number of 
commenters supported having the examples in the rule. They found it 
helpful to have the examples adjacent to the provision they are 
clarifying. The Board agrees with those commenters and has retained the 
examples in the rule and at the request of the commenters provided 
additional examples where appropriate.
    Several commenters requested that NCUA provide examples of model 
forms. The Board is including, as an Appendix to the rule, examples of 
disclosure language that a credit union may, if applicable, use as part 
of its disclosure.

Section 716.3  Definitions

    (a) and (g) Affiliate and Control. The proposed rule defined 
``affiliate'' and ``control'' using the same definitions as the other 
Agencies. The Board asked for comment on whether the definitions should 
be amended to reflect the particular relationship between a credit 
union and its CUSO. The proposal, adopting the definition in section 
509(6) of the GLB Act, stated that an affiliation is found when one 
company controls, is controlled by, or is under common control with 
another company. It defined control as a 25% ownership interest; 
control in any manner over the election of directors or management; or 
the power to exercise a controlling influence over the management or 
policies of a company as determined by NCUA.
    All 41 commenters that commented on this issue supported having a 
different definition of control. One of the reasons given in support of 
a different definition was that CUSOs are much more limited than bank 
affiliates. The Federal Credit Union Act (FCU Act) limits whom CUSOs 
can serve and the services they can provide. CUSOs must primarily serve 
credit unions and their members, and their services must be related to 
the routine operations of credit unions. Therefore, because of 
statutory limitations, CUSOs are closely affiliated with credit unions 
in the types of services they provide and the persons or entities they 
serve.
    The commenters noted that the FCU Act limits the amount a federal 
credit union can invest in a CUSO to one percent of its paid-in 
unimpaired capital and surplus, making it difficult for a small credit 
union to have a 25% ownership interest in certain kinds of CUSOs. The 
commenters concluded that the proposed definition has a discriminatory 
impact on smaller credit unions because it will result in fewer smaller 
credit unions having affiliates and, therefore, smaller credit unions 
will have more burdensome disclosure requirements than larger credit 
unions.
    Several of the commenters stressed that credit unions are part of a 
cooperative movement that includes their CUSOs. They all work together 
to solve operational problems and help credit unions compete. There are 
often more than four credit unions investing in one CUSO. Members of 
the credit union view the CUSO as an extension of their credit union, 
and, in their minds, it is an affiliate of their credit union.
    A few commenters suggested that certain types of CUSOs should not 
be covered under the privacy rules because they are performing credit 
union functions on behalf of the credit union's members. The examples 
given were shared branching and ATM services. It is unclear what the 
commenters meant by this comment but, if their concern was that credit 
unions be able to share

[[Page 31724]]

with those CUSOs, these types of activities are specifically excluded 
from the opt out requirements by Sec. 716.10. If on the other hand, 
their concern is that CUSOs that are also financial institutions not be 
subject to the privacy regulation, the Agency with primary regulatory 
authority over the CUSO will make that determination. Section 
716.3(e)(2)(iv) of the final rule clarifies that members of the credit 
union would not be the CUSO's customer or consumer if the CUSO's 
function is limited to providing services to the natural person credit 
union and, as part of that service, it receives financial information 
about the natural person credit union's member.
    The proposed rule included examples of entities that are affiliates 
for credit unions. For a federal credit union, the only entity that is 
an affiliate is a CUSO, as addressed in 12 CFR part 712, that is 
controlled by the federal credit union. For a state-chartered credit 
union, an affiliate is a company that is controlled by a credit union. 
One commenter asked that the example for state-chartered credit unions 
be changed to ``a company that is controlled by one or more credit 
unions.'' The current example does not limit control to one credit 
union, it merely addresses how one credit union has an affiliate. The 
number of credit unions affiliated with a particular company will be 
determined by the definition of control, not by changing the example of 
how a credit union is an affiliate of a company.
    The Board asked for comment on whether a CUSO that is 100% owned by 
credit unions should be considered an affiliate of all the investing 
credit unions, regardless of whether any one credit union owns 25%. 
Although unanimous in their desire to expand the definition, the 
commenters had different suggestions on how to handle the issue of 
control. Several opposed limiting the expansion to 100% credit union 
owned because: A limited partnership CUSO would never qualify because 
the CUSO rule does not permit a credit union to be a general partner; 
CUSOs were often started in a cooperative manner with a state league as 
the initial investor; and majority credit union owned CUSOs often have 
some non-credit union investors because of the nature of their product 
or service or because of the need for additional capital.
    Some of the suggestions for control of a CUSO were: 100% credit 
union owned; 100% credit union or CUSO owned; 100% credit union or 
credit union related entity owned; primarily or wholly owned by credit 
unions; 65% credit union owned; 25% credit union owned; and any credit 
union ownership.
    Rather than change the definition of control, the NCUA Board 
believes that it should remain consistent and comparable with the other 
Agencies, and so it has added an example to category (3) of the 
definition that recognizes the unique relationship between a credit 
union and its CUSO. Category (3) states that control of a company 
includes the power to exercise control, directly or indirectly over the 
management or policies of the company, as determined by the NCUA. The 
new example states that NCUA will presume a controlling influence if 
the CUSO is 67% credit union owned. This percentage reflects a 
controlling interest by credit unions in the CUSO. In addition, the 
Board suggests credit unions that do not fall within the example, but 
believe that they have the power to exercise control, directly or 
indirectly, over the management or policies of their CUSO, petition the 
Board for a determination. The Board will process these requests for 
action pursuant to Sec. 790.3 of the rules. 12 CFR 790.3.
    (b) Clear and conspicuous. Title V of the GLB Act and the proposed 
rule required that various notices be ``clear and conspicuous.'' The 
proposed rule defined this term to mean that the notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information contained in the notice. The proposed 
rule did not mandate the use of any particular technique for making the 
notices clear and conspicuous, but instead allowed each credit union 
the flexibility to decide for itself how best to comply with this 
requirement. Ways in which a notice may satisfy the clear and 
conspicuous standard would include, for instance, using a plain-
language caption, in a type set easily seen, that is designed to call 
attention to the information contained in the notice. Other plain 
language principles were provided in the examples that follow the 
general rule.
    Several commenters recommended that the Board replace this 
definition with one more consistent with other Federal Reserve Board 
regulation definitions or modify the examples. In the final rule, NCUA 
and the other Agencies have retained the definition in the proposed 
rule, but revised the examples. The examples are not mandatory. A 
credit union must decide for itself how best to comply with the general 
rule, and may use techniques not listed in the examples.
    Several commenters requested that the Board provide clarification 
on the form of the notice and whether it is permissible to insert it in 
a newsletter or statement. The final rule clarifies that a credit union 
may provide the notice separately or combined with another document if 
the notice uses distinctive type size, style, and graphic devices.
    The final rule also provides examples of how notices provided on a 
web site can be clear and conspicuous. This might entail, for instance, 
a dialogue box that pops up whenever a member accesses a web page or a 
simple graphic (hypertext link or hotlink) near the top of the page or 
in close proximity to the credit union's logo. Other elements on the 
web site, such as text, graphics, hyperlinks, or sound, should not 
distract the consumer's attention away from the notice. The example 
also provides that the credit union should either place the notice or a 
link to the notice on a screen that consumers frequently access, such 
as a home page. Any link to the notice should be labeled appropriately 
to convey the importance, nature, and relevance of the notice.
    (c) Collect. The proposed rule in Sec. 716.3(c) defined collect as 
``to obtain information that is organized or retrievable on a 
personally identifiable basis, irrespective of the source of the 
underlying information.'' Several commenters recommended NCUA specify 
whether information that is organized or retrievable only in the 
aggregate is excluded from the definition. In the final rule, the NCUA 
and the other Agencies are revising the definition to specify that 
information must be organized or retrievable by the credit union by the 
individual's name or by identifying number, symbol, or other particular 
assigned to the individual.
    (e),(i) and (j) Consumer, Customer, and Customer relationship; (n) 
and (o) Member and Member relationship. The proposed rule defined 
``customer'' as any consumer who has a customer relationship with a 
particular credit union. A customer relationship means that there is an 
ongoing relationship between the credit union and a consumer. These 
definitions paralleled the ones used by the other Agencies. Eleven 
commenters requested that the term ``member'' be used rather than 
customer. Some of those commenters suggested that only members be 
considered customers. This suggestion is contrary to the GLB Act that 
makes a distinction between the protections for consumers who obtain a 
financial product or services and those consumers that establish a 
relationship of a more lasting nature. Sometimes, those consumers with 
relationships of a more lasting nature are not actual members of the 
credit union and so, the

[[Page 31725]]

definition of customer cannot be limited to actual members.
    Some of the reasons in support of using the term ``member,'' rather 
than ``customer,'' and including certain nonmembers within that 
category were that: credit unions have a unique relationship with their 
members and that relationship should be reflected in their regulations; 
and only a member is entitled to borrow, vote, and serve on the board 
of a credit union.
    The Board agrees with the commenters that a credit union's 
relationship with its members is unique and so, it has substituted the 
term ``member'' for ``customer'' in the final rule. NCUA used this same 
approach successfully in its Truth in Savings Rule. 12 CFR part 707. 
However, the Board cautions credit unions that the term ``member,'' as 
used in this rule, essentially parallels the term ``customer'' used by 
the other Agencies. The term ``member'' includes individuals who are 
not actually members, but are entitled to the same privacy protections 
provided to members. Examples of individuals that fall within the 
definition of ``member'' in part 716 are nonmember joint account 
holders, nonmembers establishing an account at a low-income designated 
credit union and nonmembers holding an account in a state-chartered 
credit union under state law.
    Several commenters stated that customer relationship is too broadly 
defined and should not apply to the situation where a credit union 
purchases a nonmember's loan, but not the servicing rights. NCUA and 
the other Agencies agree and are deleting this relationship from the 
definition of member/customer relationship. A consumer will be the 
member/customer of the financial institution that holds the servicing 
rights and a consumer of the other financial institutions that own the 
loan.
    Several commenters asked that the final rule clarify that a series 
of isolated transactions does not transform a consumer to a member/
customer. The final rule has added an ``s'' to isolated transaction to 
clarify this point.
    A few commenters noted that notices and an opportunity to opt out 
should not have to be provided to both the consumer and the consumer's 
legal representative. NCUA and the other Agencies agree and are 
amending Sec. 716.3(e)(1) to reflect that it is the consumer ``or'' the 
consumer's legal representative.
    (f) Federal functional regulator. NCUA, consistent with the other 
Agencies, adopted the definition of ``government regulator'' in 
proposed rule Sec. 716.3(m) to include the federal functional 
regulators, as defined in the GLB Act, the state insurance authorities, 
the Department of Treasury, and the Federal Trade Commission. One 
commenter objected to the definition and asked NCUA to revise it to 
include state regulators. The rule already takes into account the role 
of state regulators on the issue of affiliates.
    In the final rule, the NCUA and the other Agencies are deciding not 
to use a definition for government regulator and instead have restated 
the definition for ``Federal functional regulator'' from the GLB Act. 
The term is used in the exception set out in Sec. 716.15(a)(4) for 
disclosures to law enforcement agencies, including a federal functional 
regulator, the Department of Treasury, a state insurance authority, and 
the Federal Trade Commission.
    (l), (m) Financial institution and Financial product or service. 
The proposed rule defined ``financial institution'' in Sec. 716.3(k) as 
any institution the business of which is engaging activities that are 
financial in nature, or incidental to such financial activities, as 
described in section 4(k) of the Bank Holding Company Act of 1956 (12 
U.S.C. 1843(k)). The proposed rule also exempted from the definition of 
``financial institution'' those entities specifically excluded by the 
GLB Act. The proposed rule defined ``financial product or service'' in 
Sec. 716.3(l) as any product or service that a financial holding 
company could offer by engaging in an activity that is financial in 
nature or incidental to such a financial activity under section 4(k). 
The definition included the financial institution's evaluation of 
information collected in connection with an application by a consumer 
for a financial service or product even if the application is 
ultimately rejected or withdrawn. It also included the distribution of 
information about a consumer for the purpose of assisting the consumer 
obtain a financial product or service. In the final rule, NCUA, 
consistent with the other Agencies, no longer includes such 
distribution of information to be a financial service. Other than this 
change, NCUA has retained both definitions in Sec. 716.3(l) and (m) of 
the final rule, but NCUA has added examples of financial institutions.
    Several commenters requested that the Board list financial 
activities or attach section 4(k) to part 716. One commenter provided 
sample language. One commenter supported a de minimis exception for 
companies whose consumer component is less than one percent. A few 
commenters requested that the Board adopt the Federal Trade 
Commission's example which provides that an entity is a financial 
institution if it is significantly engaged in financial activities, 
such as a retailer that extends credit by issuing its own credit card 
directly to consumers. The Federal Trade Commission also provided an 
example that a financial institution does not include a business that 
only accepts payment by check or cash, or through credit cards issued 
by others, or through deferred payment or ``lay-away'' plans. A few 
commenters also requested that the Board clarify the definition of 
financial products and services or expand it with examples.
    Examples of activities that are financial in nature include: 
lending, exchanging, transferring, investing for others, or 
safeguarding money or securities; insuring, guaranteeing, or 
indemnifying against loss, harm, damage, illness, disability, or death, 
or providing and issuing annuities, and acting as principal, agent, or 
broker for purposes of the foregoing, in any state; providing 
financial, investment, or economic advisory services; and underwriting, 
dealing in, or making a market in securities. Examples of activities 
that are incidental to financial activities include: brokering or 
servicing loans; leasing real or personal property (or acting as agent, 
broker, or advisor in such leasing) without operating, maintaining or 
repairing the property; appraising real or personal property; check 
guaranty, collection agency, credit bureau, and real estate settlement 
services; providing financial or investment advisory activities 
including tax planning, tax preparation, and instruction on individual 
financial management; management consulting and counseling activities 
(including providing financial career counseling); courier services for 
banking instruments; printing and selling checks and related documents; 
community development or advisory activities; selling money orders, 
savings bonds, or traveler's checks. The activities also include 
leasing real or personal property (or acting as agent, broker, or 
advisor in such leasing) where the lease is functionally equivalent to 
an extension of credit; acting as fiduciary; providing investment, 
financial, or economic advisory services; and operating a travel agency 
in connection with financial services. The Board of Governors of the 
Federal Reserve and the Department of Treasury have authority under 
section 4(k) to determine other activities in the future to be 
financial in nature or incidental to financial activities.

[[Page 31726]]

    Due to the wide range of activities that are defined as financial 
in nature under section 4(k) of the Bank Holding Company Act, the 
definition of ``financial institution'' encompasses a broad spectrum of 
businesses. In the final rule, the NCUA has added examples of financial 
institutions, including nontraditional financial institutions. These 
may include, but are not limited to: personal property appraisers; real 
estate appraisers; career counselors for employees in financial 
occupations; digital signature services; courier services; real estate 
settlement services; manufacturers of computer software and hardware; 
and travel agencies operated in connection with financial services. 
However, many entities that are within the broad definition of 
financial institution likely will not be subject to the rule's 
disclosure requirements because not all financial institutions have 
consumers.
    (q), (r), and (s) Nonpublic personal information, Personally 
identifiable financial information, and Publicly available information. 

    (q) Nonpublic personal information. The Board invited comment on 
two alternative interpretations of the definition of nonpublic personal 
information in proposed Sec. 716.3(o). Alternative A defined nonpublic 
personal information to include personally identifiable financial 
information and any list, description, or other grouping of consumers 
and any publicly available information pertaining to them that is 
derived using personally identifiable financial information. The 
proposed rule excluded publicly available information from the scope of 
``nonpublic personal information'' when the information is part of a 
list, description, or other grouping of consumers that is derived 
without using personally identifiable financial information. The 
example that followed the general definition clarified that publicly 
available information and other identifying information about 
consumers, such as addresses, would be considered nonpublic personal 
information if the information is derived from information consumers 
provided to a financial institution on an application.
    Alternative B would have permitted a financial institution to 
release publicly available information regardless of the source, but 
still would have prohibited the release of this information as part of 
a list, description or other grouping of consumers that was derived 
using personally identifiable financial information. Thus, under 
alternative B, a credit union could have disclosed the name, address, 
or other information available to the general public about an 
individual, as long as it was not disclosed as part of a list.
    Alternative A would have required compliance with the notice and 
opt out requirements if the credit union had received such information 
from the individual. Under alternative A, in order for the information 
to be considered publicly available, the credit union would have had to 
obtain the information from government records, widely distributed 
media, or government-mandated disclosures. The fact that information 
was available from those sources would have been immaterial if the 
credit union did not actually obtain the information from one of them.
    Approximately 40 commenters supported alternative B, that 
information should not be nonpublic personal information if it is 
publicly available. A few commenters supported alternative A. The 
Congressional Privacy Caucus urged the Agencies to adopt alternative A 
because, unless the financial institution has actually obtained the 
data from a public source, it cannot be certain the information is 
publicly available. The consensus of the interagency group is to adopt 
the broader, alternative B, with modifications. Therefore, nonpublic 
personal information does not include publicly available information, 
except if it is disclosed in the form of a list derived using personal 
identifiable financial information.
    The final rule adopts an approach that the NCUA and the other 
Agencies believe incorporates the benefits of both alternatives. Under 
the final rule, information will be deemed to be ``publicly available'' 
and therefore excluded from the definition of ``nonpublic personal 
information'' if a credit union reasonably believes that the 
information is lawfully made available to the general public from one 
of the three categories of sources listed in the rule. 12 CFR 
Sec. 716.3(s)(2). In this way, a credit union will be able to avoid the 
burden of having to actually obtain information from a public source, 
but will not be free simply to assume that information is publicly 
available without some reasonable basis for that belief. The final rule 
cites, as an example of information a credit union might reasonably 
believe to be publicly available, the fact that someone has a loan that 
is secured by a mortgage in jurisdictions where mortgages are recorded. 
12 CFR Sec. 716.3(s)(3)(iii)(1). The rule also states that a credit 
union will have a reasonable basis to believe that a telephone number 
is publicly available if the credit union either looked the number up 
in a telephone book or was informed by the consumer that the number is 
not unlisted. 12 CFR Sec. 716.3(s)(iii)(2).
    NCUA also specifically invited comment on whether the definition of 
``nonpublic personal information'' would cover information about a 
consumer that contains no indicators of a consumer's identity. 
Approximately 40 commenters said no, that aggregated data should not be 
nonpublic personal information because it is not personally 
identifiable.
    Some commenters contended that the fact that an individual is a 
customer or consumer of a financial institution is not nonpublic 
personal information. They also requested that the regulation allow 
financial institutions to sell lists of consumers and customers. A 
couple of commenters concurred with the Board's inclusion of lists of 
consumers as nonpublic personal information.
    The final rule in Sec. 716.3(q) includes examples of lists that 
would and would not be considered nonpublic personal information. A 
list of individuals' names and street addresses that is derived using 
personally identifiable financial information, other than publicly 
available information, would be nonpublic personal information. Such a 
list that is not derived using personally identifiable financial 
information and does not indicate that individuals on the list are a 
consumer of the credit union would not be nonpublic personal 
information.
    (r) Personally identifiable financial information. The GLB Act 
defined ``nonpublic personal information'' to include ``personally 
identifiable financial information'' but did not define the latter 
term. The proposed rule in Sec. 716.3(p) generally defined personally 
identifiable information as information a credit union obtains in 
connection with providing a consumer a financial service or product. A 
few commenters supported this definition. Approximately 30 commenters 
said that proposed definition is too broad and that personally 
identifiable financial information should not include nonfinancial 
information.
    NCUA continues to believe that this approach creates a workable and 
clear standard for distinguishing information that is financial from 
information that is not, while at the same time giving meaning to the 
word ``financial.'' The broad scope of what is deemed a ``financial 
product or service'' under the GLB Act requires a comparably broad 
scope of what is deemed ``financial information.''
    NCUA and the other Agencies have revised the definition in the 
final rule

[[Page 31727]]

Sec. 716.3(r) to add a couple of additional examples of what would and 
would not be personally identifiable financial information. One of the 
new examples of personally identifiable financial information is 
information the credit union collects through an Internet cookie, an 
information collecting device from a web server. A new example of what 
would not be personally identifiable financial information is 
information that does not identify a consumer, such as aggregate 
information or blind data that does not contain personal identifiers, 
such as account numbers, names or addresses.
    NCUA has retained other examples of personally identifiable 
financial information from the proposed rule. One such example is the 
fact that an individual has been a credit union's member or has 
obtained a financial product or service from it. NCUA disagrees with 
those commenters who maintain that member relationships should not be 
considered personally identifiable financial information. Clearly, 
information that a particular person has a member relationship 
identifies that person, and this is personally identifiable. The NCUA 
believes that this information is also financial, because it 
communicates that the person has a financial relationship with the 
credit union. While this information would in many cases be a matter of 
public record, that does not change the analysis of whether the 
information is personally identifiable financial information.
    (s) Publicly available information. The proposed rule in 
Sec. 716.3(q) defined ``publicly available information'' as information 
lawfully made available to members of the general public that is 
obtained from three broad types of sources: Official public records, 
widely distributed media, or information from public disclosures 
required by law. The proposed rule stated that information obtained 
over the Internet would be considered publicly available information if 
it was obtainable from a site available to the general public without 
requiring a password or similar restriction.
    The Board invited comment on what information should be considered 
publicly available, particularly in the context of information 
available over the Internet. Approximately 35 commenters wrote that 
publicly available information includes information that could be 
derived from a public source, even if it is obtained from a nonpublic 
source, such as an application for financial services. Several 
commenters wrote that publicly available information should include 
name, address, and phone number. A couple of commenters suggested that 
the Board model its definition after the Securities and Exchange 
Commission's definition of publicly available information.
    The NCUA and the other Agencies have modified and adopted the 
Securities and Exchange Commission's proposed definition in the final 
rule. NCUA's final rule defines ``publicly available information'' as 
information the financial institution has a reasonable basis to believe 
is lawfully made available to the general public from the three broad 
types of sources. 12 CFR 716.3(s). The NCUA and the other Agencies have 
decided that financial institutions have a reasonable basis to believe 
information is lawfully available to the general public if they take 
steps to determine that the information is of the type available to the 
general public and, if an individual can direct that the information 
not be made available to the general public, that an individual has not 
done so. The examples of what constitutes a reasonable basis were 
discussed in the above section on nonpublic personal information.
    Publicly available information will be excluded from the scope of 
``nonpublic personal information,'' whether or not the credit union 
obtains it from a publicly available source (unless, as previously 
noted, it is part of a list of consumers that is derived using 
personally identifiable financial information). Under this approach, 
the fact that a consumer has given publicly available information to a 
credit union would not automatically extend to that information the 
protections afforded to nonpublic personal information.
    Several commenters objected to the example in Sec. 716.3(q)(2)(ii) 
of the proposed rule that publicly available information from widely 
distributed media includes information from an Internet site that is 
available to the general public ``without requiring a password or 
similar restriction.'' The NCUA and the other Agencies agree with the 
commenters that some web sites require a password or fee to obtain 
public information. Therefore, the example in the final rule provides 
that widely distributed media includes information from a web site that 
is available to the general public on an unrestricted basis. The fact 
that a web site has a fee or password does not render the web site 
restricted.

Subpart A--Privacy and Opt Out Notices

Section 716.4  Initial Privacy Notice to Consumers Required

    The GLB Act requires a financial institution to provide an initial 
notice of its privacy policies and practices in two circumstances. For 
customers, the notice must be provided at the time of establishing a 
customer relationship. For credit unions, ordinarily this will be at 
the time an individual applies for membership. For consumers who do not 
become members, the credit union must provide the notice prior to 
disclosing nonpublic personal information about the consumer to a 
nonaffiliated third party.
    Proposed Sec. 716.4(a) required a credit union to provide an 
individual a privacy notice prior to the time that it establishes a 
customer relationship. The final rule provides that the credit union 
must provide the initial notice not later than the time it has 
established a member relationship. Nothing in the proposed rule is 
intended to discourage a credit union from providing a privacy notice 
at an earlier point in the relationship to make it easier for an 
individual to compare several institutions' privacy policies and 
practices in advance of conducting transactions.
    The final rule provides in Sec. 716.4(c)(2) that a credit union 
establishes a member relationship with a consumer when the credit union 
originates or the consumer's loan. However, if the credit union 
transfers the servicing rights to a loan, the membership relationship 
transfers with the servicing rights. The final rule provides examples 
of this ``loan rule'' in Sec. 716.4(c)(3)(ii), including examples of a 
credit union that originates the loan and retains the servicing rights 
or purchases the servicing rights to the loan.
    A few commenters requested that the rule not require a new opt out 
notice when an existing customer opens a new account. NCUA agrees that 
it is unnecessary for a credit union to provide a member with 
additional copies of its initial notice every time the member obtains a 
financial product or service. The final rule in Sec. 716.4(d) contains 
a new provision that the credit union need not provide a new privacy 
notice to an existing member who has already received a notice that was 
accurate with respect to the new financial product or service. If the 
credit union's privacy policies and practices have changed, the credit 
union may provide the member with a revised privacy notice if it 
chooses to do so. Under Sec. 716.8, the credit union would

[[Page 31728]]

have to provide a new privacy notice if the new account was not covered 
by the previously provided notice.
    The proposed rule in Sec. 716.4(f) provided that, if a credit union 
and consumer orally enter into a contract for financial services over 
the telephone, the credit union may provide the consumer with the 
initial notice after providing the service so as not to delay the 
transaction. Several commenters wrote that when accounts are opened 
over the phone it would be reasonable for the credit union to provide 
the disclosures, including opt out notices at a reasonable time after 
the transaction, such as within 20 days. They contended that the rule 
should not require the consumer to consent to the subsequent delivery 
of the notice. This would be consistent with the requirements under the 
Truth in Savings Act. One commenter wrote that the notice should be in 
writing at the time the service is provided, not later.
    Consistent with the proposed rule, the final rule allows, in some 
cases, for subsequent delivery of initial notices within a reasonable 
time after the credit union establishes a member relationship and 
examples of this under Sec. 716.4(e). First, the credit union may 
provide notice after the fact if the establishment of the member 
relationship is not at the customer's election. This might occur, for 
instance, when a share account is transferred. Second, a credit union 
may send notice after establishing a member relationship when to do 
otherwise would substantially delay the consumer's transaction and the 
consumer agrees to receive the notice at a later time. An example of 
this would be when a transaction is conducted over the telephone and 
the member desires prompt delivery of the financial product or service. 
Third, the final rule also permits after-the-fact notices when an 
independent third party arranges the member relationship on the credit 
union's behalf without its prior knowledge. Typical of this type of 
arrangement would be the submission to a credit union by a college's 
financial aid office of a completed student loan application along with 
a request for prompt disbursement upon the credit union's acceptance of 
the application.
    The Board notes that in most situations, and particularly in 
situations involving the establishment of a member relationship in 
person, a credit union should give the initial notice at a point when 
the consumer still has a meaningful choice about whether to enter into 
the member relationship. The exceptions listed in the examples, while 
not exhaustive, are intended to illustrate the less frequent situations 
when delivery either would pose a significant impediment to the conduct 
of a routine business practice or the consumer agrees to receive the 
notice later in order to obtain a financial product or service 
immediately.
    In circumstances when it is appropriate to deliver an initial 
notice after the member relationship is established, a credit union 
should deliver the notice within a reasonable time thereafter. A few 
commenters requested that the final rule specify precisely how many 
days a credit union has in which to deliver the notice under these 
circumstances. However, the Board believes that a rule prescribing the 
maximum number of days would be inappropriate because (a) the 
circumstances of when an after-the-fact notice is appropriate are 
likely to vary significantly, and (b) a rule that attempts to 
accommodate every circumstance is likely to provide more time than is 
appropriate in many instances. Thus, rather than establish a rule that 
the Board believes may be viewed as applicable in all circumstances, 
the Board elected to retain the more general rule as set out in the 
proposal in Sec. 716.4(e)(1).
    As the Board noted in the preamble to the proposed rule, nothing in 
the rule is intended to discourage a credit union from providing an 
individual with a privacy notice at an earlier point in the 
relationship if the institution wishes to do so in order to make it 
easier for the individual to compare its privacy policies and practices 
with those of other financial institutions in advance of conducting 
transactions. The Board requested comment on who should receive a 
notice where there is more than one party to an account. Approximately 
50 commenters replied that the regulation should require only that the 
primary account holder should receive the notice and right to opt out. 
The reasons in support of giving only the primary account holder notice 
and opt out rights were that: This is consistent with other 
regulations; some joint account holders are minors; some live in the 
same households as each other; addresses for some joint account holders 
are not available; and it would be burdensome to provide notice and opt 
out to all account holders. A few commenters wrote that the financial 
institution should have the option to offer more than one party to an 
account individual notice and opt out rights and incur the extra cost.
    The commenters who noted that one notice is consistent with other 
regulations cited those implementing the Equal Credit Opportunity Act 
(Regulation B, 12 CFR part 202) and the Truth in Lending Act 
(Regulation Z, 12 CFR part 225). Commenters noted that under both 
regulations, a financial institution is permitted to give only one 
notice. The authorities cited include requirements that the financial 
institution give disclosures, as appropriate, to the ``primary 
applicant'' if this is readily apparent (in the case of Regulation B; 
see 12 CFR 202.9(f)) or to a person ``primarily liable on the account'' 
(in the case of Regulation Z; see 12 CFR 226.5(b)).
    The Board found these comments persuasive with respect to financial 
products and services, other than loans (including lines of credit). 
The Board believes that co-makers and guarantors on loans should 
receive the notice and right to opt out because of the extent and 
nature of nonpublic personal information provided to the credit union 
in conjunction with these types of transactions. Co-makers and 
guarantors of loans are entitled to receive separate notices. The final 
rule in Sec. 716.4(f) provides that if two or more consumers obtain a 
financial product or service, other than a loan, from the credit union 
jointly, it may satisfy the initial notice requirement by providing one 
initial notice to those consumers jointly, but that either consumer may 
exercise the opt out right.
    For ease of reference, the final rule provides in Sec. 716.4(g) 
that credit unions should refer to Sec. 716.9 for methods of delivering 
an initial privacy notice or Sec. 716.6 for initial notices for 
nonmember consumers.

Section 716.5  Annual Privacy Notice to Members Required

    The proposed rule required a credit union to provide customers with 
a clear and conspicuous notice that accurately reflects the privacy 
policies and practices, once during any period of twelve consecutive 
months. Although the GLB Act requires financial institutions to provide 
annual notices to customers, several commenters recommended eliminating 
the requirement. A few commenters wrote that the Board should require 
credit unions to send the notice once every calendar year, not once 
annually, so that they can send the notices to all customers in a mass 
mailing with other required disclosures. The final rule provides that 
the credit union may define the 12-consecutive-month period, and 
includes a new example.
    The Board requested comment on whether the example of dormant 
accounts provides a clear standard for whether an individual is exempt 
from the annual notice requirement and whether the applicable standard 
should

[[Page 31729]]

be the credit union's policies or state law. The Board also requested 
comment on whether the standard should apply to members as well as 
nonmembers.
    A few commenters supported application of the dormant account 
standard under state law. Several commenters supported use of the term 
inactive instead of dormant. Several commenters wrote that the credit 
union's policy on inactive accounts, rather than state law on dormant 
accounts should apply. These commenters contended that reliance on 
state dormancy laws might produce conflicting results and unnecessary 
burden for credit unions operating in more than one state. Several 
commenters supported a standard of 12 months with no documented account 
activity rather than either term. The final rule retains the examples 
and uses the term inactive instead of dormant. The Board believes an 
example that suggests credit unions look to their own inactive account 
policies provides adequate guidance and greater flexibility than 
suggesting credit unions look to state dormancy laws.
    Some commenters said members and nonmembers should be treated the 
same with regard to the standard for dormant accounts. The Board has 
retained the distinction between nonmember and member inactive accounts 
because a credit union may still have a duty to provide notices to an 
individual who is a member under the credit union's bylaws, regardless 
of whether a member's account has been declared inactive. The duty to 
provide notice to an individual who is a member under the credit 
union's bylaws only ceases when the member relationship terminates.

Section 716.6  Information To Be Included in Initial and Annual Privacy 
Notices

    The proposed rule provides the required content for the initial and 
annual notices to customers. The proposed rule required notices to 
include: categories of nonpublic personal information that a credit 
union may collect; categories it may disclose; categories of affiliates 
and nonaffiliated third parties to whom a credit union discloses 
nonpublic personal information; information about former customers; 
information disclosed to service providers; the right to opt out; 
disclosures made under the Fair Credit Reporting Act (FCRA); and 
confidentiality, security, and integrity standards. The final rule 
provides that a credit union need only include each of the above items 
that apply to it, but may include other information.
    Several commenters found these requirements burdensome and more 
detailed than the GLB Act requires. One commenter requested that the 
right to opt out not be disclosed in the privacy notice. A few 
commenters requested that the Board use the plain language of the GLB 
Act for the content of the notice and delete other requirements. The 
final rule provides that a credit union may send a short-form initial 
notice with an opt out notice for nonmember consumers under 
Sec. 716.6(c). This short-form must state that a privacy notice is 
available upon request and provide a reasonable means, such as a toll-
free number, by which the consumer may obtain the notice.
    The proposed rule requested comment on whether a disclosure that a 
credit union makes disclosures as permitted by law to nonaffiliated 
third parties in addition to those described in the notice would be 
adequate. Several commenters wrote that this disclosure was adequate. A 
couple of commenters objected to this disclosure because the GLB Act 
specifically exempts notice in these instances and it could cause 
consumer confusion. The final rule retains the provision for 
disclosures as permitted by law as the NCUA and the other Agencies 
proposed it.
    Several commenters requested that the Board clarify the meaning of 
the terms ``categories of information'' that are ``collected'' and 
``disclosed'' and amend the examples. A few commenters recommended the 
rule retain the examples used for the categories of information 
collected and repeat those examples for the categories of information 
disclosed. NCUA and the other Agencies are revising and expanding the 
examples for these terms in the final rule in Sec. 716.6(e).
    One commenter suggested that the Board create an exemption from the 
annual notice requirement for credit unions that do not share nonpublic 
personal information with nonaffiliated third parties. NCUA and the 
other Agencies are rejecting this suggestion, but the final rule in 
Sec. 716.6(e)(5) permits credit unions to provide simplified notices if 
they do not disclose or intend to disclose nonpublic personal 
information to affiliates or nonaffiliated third parties except under 
the exceptions authorized in Secs. 716.14 and 716.15.
    The proposed rule stated that the NCUA was in the process of 
preparing proposed section 501 standards relating to administrative, 
technical, and physical safeguards. A few commenters wrote that credit 
unions need guidance on security standards. The NCUA intends to issues 
proposed standards as an appendix to this regulation for notice and 
public comment in approximately one month.
    A couple of commenters wrote that the disclosures of who has access 
to the information were unnecessary and could be harmful to a financial 
institution's security. The final rule provides that the credit union 
need only describe in general terms who is authorized to have access to 
the information and provides an example in Sec. 716.6(e)(6).
    A few commenters requested that the rule clarify that the privacy 
policies and practices of several different affiliated financial 
institutions may be described on a single notice. Related to this 
point, commenters requested that the final rule address whether 
affiliated financial institutions, each of whom has a customer or 
member relationship with the same consumer, may elect to send only one 
notice to the consumer on behalf of all of the affiliates covered by 
the notice and have that one notice satisfy the disclosure obligations 
under Sec. 716.4 of each affiliate. NCUA and the other Agencies agree 
that financial institutions should be able to combine initial 
disclosures in one document. The final rule reflects this flexibility, 
in Sec. 716.6(e)(7). NCUA and the other Agencies emphasize that the 
notice must be accurate for all financial institutions using the 
notice.

Section 716.7  Form of Opt Out Notice to Consumers and Opt Out Methods

    The proposed rule in Sec. 716.8 provided as an example that a 
credit union will provide adequate notice of the right to opt out if it 
identifies: The categories of information that may be disclosed; the 
categories of nonaffiliated third parties to whom the information may 
be disclosed; and that the consumer may opt out of those disclosures. 
The final rule adds that the credit union should also identify the 
financial products or services that the consumer obtains, either singly 
or jointly from the credit union, to which the opt out direction would 
apply.
    The proposed rule also provided several examples by which a credit 
union may provide a reasonable means for the consumer to opt out, 
including check off boxes, self-addressed stamped reply forms, and 
electronic mail addresses. Approximately 20 commenters requested that 
the Board delete the stamped reply example, contending it is 
unreasonable, unfair, costly to financial institutions, and not a 
statutory requirement. A couple of commenters supported the concept of 
stamped reply forms so that opting out would be convenient for the 
consumer.

[[Page 31730]]

In the final rule, the Board has deleted the reference to self-
addressed and stamped, but has retained the example of a reply form in 
Sec. 716.7(a)(2)(ii)(B).
    Several commenters wrote that they supported allowing opt outs by 
electronic means. The final rule retains this example in 
Sec. 716.7(a)(2)(ii)(C).
    A few commenters recommended that the Board permit the consumer to 
opt out orally. Approximately 16 commenters requested that the final 
rule include an example of opt out by means of a toll-free telephone 
number. The final rule adds the example of a credit union providing a 
toll-free telephone number that consumers may call to opt out in 
Sec. 716.7(a)(2)(ii)(D).
    The proposed rule stated that a credit union does not provide a 
reasonable means of opting out if it requires a consumer to send his or 
her own letter informing the credit union of the opt out election. One 
commenter supported this interpretation. Four commenters disagreed and 
wrote that the proposed rule goes beyond the GLB Act on this issue. The 
final rule retains this example in Sec. 716.7(a)(2)(iii)(A). The final 
rule also provides another example of an unreasonable means of opting 
out. This would be if the credit union describes in a subsequent opt 
out notice that a consumer may opt out by designating check-off boxes 
that were provided with the initial notice, but not included with the 
subsequent notice.
    Several commenters requested that the Board provide that credit 
unions will be able to impose their own requirements on how consumers 
opt out. For example, a commenter requested that the Board permit 
credit unions to require customers to submit account numbers with an 
opt out request. The final rule provides that a credit union may 
require each consumer to opt out through a specific means, if it is 
reasonable for that consumer. 12 CFR 716.7(a)(2)(iv). The final rule 
provides that a credit union may provide the opt out notice together 
with or on the same form as the initial notice. 12 CFR 716.7(b).
    NCUA requested comment on how the right to opt out should apply to 
joint account holders and trustees of commingled trust accounts, where 
a trustee manages a single account on behalf of multiple beneficiaries. 
For the same reasons as in the discussion on initial notice under 
Sec. 716.4, approximately 50 commenters supported only requiring that 
the primary account holder get a right to opt out. A few commenters 
wrote that either party on a joint account should have the right to opt 
out. One commenter requested that, if one party to a joint account 
wants to opt out, the financial institution should honor his or her 
request. The final rule provides that the credit union need only 
provide one opt out notice to holders of accounts, other than loans, 
but that either party to the joint account may exercise an opt out 
direction. 12 CFR 716.7(d). The final rule provides that the credit 
union may treat the opt out direction by a joint consumer as applying 
to all of the associated joint consumers or permit each joint consumer 
to opt out separately. The final rule also provides an example. 12 CFR 
716.7(d)(5).
    With regard to application of the right to opt out to trustees, as 
previously discussed in connection with the definition of consumer, 12 
CFR Sec. 716.3(e)(1), a credit union need not provide notice to both a 
consumer and a consumer's legal representative. Thus, a credit union 
may provide notice of the right to opt out to either the beneficiaries 
or their legal representative.
    The proposed rule in Sec. 716.8(d) stated that a consumer has the 
right to opt out at any time. The proposed rule also required that the 
sharing of nonpublic personal information stop promptly when the 
consumer opts out. Some commenters asked the Board to clarify in the 
final rule how long a credit union has after receiving an opt out to 
cease disclosing nonpublic personal information to nonaffiliated third 
parties. Several commenters requested that the rule provide no opt out 
rights once a sharing or affinity program has begun. Several commenters 
requested that the right to opt out should only affect disclosures 
after the consumer has opted out and should not apply retroactively. 
One commenter requested that the rule require a financial institution 
has to comply with a consumer's subsequent opt out within 30 days of 
his or her request.
    The final rule retains the consumer's continuing right to opt out. 
12 CFR 716.7(f). The final rule also requires the sharing of nonpublic 
personal information to stop as soon as reasonably practicable after 
the credit union receives the opt out direction. 12 CFR 716.7(e). NCUA, 
consistent with the other Agencies, believes that it is appropriate to 
retain this more general rule in light of the wide range of practices 
throughout the financial institutions industry. A potential drawback of 
a more prescriptive rule is that a credit union might use the standard 
as a safe harbor in all instances and thus fail to honor an opt out as 
early as it is otherwise capable of doing. Another drawback is that a 
standard that is set in light of current industry practices and 
capabilities is likely to become outmoded quickly as advances in 
technology increase efficiency. NCUA therefore declines to adopt a more 
rigid standard, and instead retains the rule as set out in 
Sec. 716.7(e) of the final rule.
    The proposed rule in Sec. 716.8(e) stated that an opt out will 
continue until a consumer revokes it in writing, or, if the consumer 
agrees, electronically. The final rule retains those requirements in 
Sec. 716.7(g). The final rule clarifies that when the member 
relationship terminates, the opt out direction continues to apply to 
information collected during the relationship. If the individual then 
enters into a new member relationship with the credit union, the former 
opt out direction does not apply to the new relationship. 12 CFR 
716.7(g)(2). The final rule states that requirements for delivery of 
the opt out notices are found in Sec. 716.9. 12 CFR 716.7(h).
    NCUA requested comment on the regulatory burden of complying with 
opt out notices. How do credit unions expect to give opt out 
opportunities? How many opt outs do credit unions expect to receive and 
need to process? Commenters who responded generally did not address 
these issues with specificity, but some stated that complying with the 
opt out notice requirements and directions will be burdensome.

Section 716.8  Revised Privacy Notices

    For ease of reference in the final rule, NCUA and the other 
Agencies are grouping the provisions concerning revised notices into 
one section. The proposed rule contained requirements that a credit 
union send a customer a new notice and opt out when there is a change 
in terms. A couple of commenters recommended eliminating these 
requirements. A couple of commenters recommended the Board revise the 
language to specify a ``material'' change in terms. One commenter wrote 
that when a financial institution changes its terms, a consumer's prior 
opt out should remain in effect for 30 days while he or she is 
permitted to consider the new right to opt out. NCUA and the other 
Agencies are retaining these requirements in the final rule as 
proposed, but are adding an additional example. The new example 
provides that the credit union must provide a revised policy notice if 
it discloses nonpublic personal information to a nonaffiliated third 
party about a former customer who has not had the opportunity to 
exercise an opt out right regarding that disclosure. The final rule 
moves the requirements

[[Page 31731]]

for delivery of the revised notices to Sec. 716.9.

Section 716.9  Delivering Privacy and Opt Out Notices

    In the proposed rule, the rules governing how credit unions must 
provide the initial and annual privacy notices and opt out notices were 
found in various sections depending on the type of notice. For ease of 
reference in the final rule, NCUA and the other Agencies are grouping 
the provisions concerning delivery of privacy and opt out notices into 
one section.
    The proposed rule provided that the notices may be delivered in 
writing or, if the consumer agrees, electronically. The proposed rule 
required that the credit union provide the notices so that each 
recipient can reasonably be expected to receive actual notice. A few 
commenters objected to the requirement that the credit union must 
reasonably expect the customer will receive the notice. Their reasons 
were that this requirement is: Not expressly stated in the statute, not 
consistent with other disclosure regulations, and burdensome. The final 
rule in Sec. 716.9(a) contains the requirements for any privacy notices 
and opt out notices, including short-form initial notices.
    The proposed rule provided examples of acceptable methods of 
delivery of the notice to customers where the credit union may 
reasonably expect the customer will receive the notice. The Board 
requested comment on the regulatory burden of providing the initial 
notice and the methods credit unions expect to use to provide the 
notice.
    One commenter recommended the reference to sending the consumer an 
electronic mail notice be deleted because a preferable method would be 
for a customer to access the notice on a secure site. Several 
commenters requested that the regulation provide examples of other 
means of electronic delivery, such as posting the notice on the web and 
informing the consumer to access the site, or sending an electronic 
mail with a link to the notice. The final rule retains the examples of 
reasonable and unreasonable expectations of delivery in Sec. 716.9(b).
    The proposed rule stated that oral notices alone are insufficient. 
A few commenters requested that oral notice be permitted where the 
financial institution establishes the customer relationship over the 
telephone. A few commenters objected that it would be costly to train 
staff to provide oral notices. The final rule retains the provision 
that oral notices alone are insufficient in Sec. 716.9(d).
    Several commenters wrote that providing the annual notice will be 
burdensome and a waste of resources. One commenter requested that 
credit unions not be required to send the notice unless their policies 
have changed. Some commenters requested that the regulation permit the 
credit union to comply with the annual notice requirement by posting 
the notice on its web site. NCUA and the other Agencies agree with the 
commenters. For annual notices only, the final rule permits a credit 
union to reasonably expect a member to receive notice if the member 
uses the credit union's web site to access financial products and 
services electronically, agrees to receive notices there, and the 
credit union posts the current privacy policy there in a clear and 
conspicuous manner. 12 CFR Sec. 716.9(c).
    Several commenters requested that customers should be able to waive 
the right to receive the annual notice. Another commenter wrote that a 
credit union should be able to comply with the law by providing the 
policy to customers only upon their request. A couple of commenters 
requested that credit unions should not have to send the notice to 
customers who have opted out. The final rule permits the credit union 
to reasonably expect that a member will receive actual notice of the 
privacy notice if he or she has requested the credit union refrain from 
sending any information regarding the member relationship and the 
current policy remains available to the member upon request. 12 CFR 
716.9(c).
    The proposed rule in Sec. 716.4(g) required the credit union to 
provide the notice to the customer in a form that can be retained or 
obtained at a later time, in a written form or if the customer agrees, 
in electronic form. Some commenters supported the requirement for the 
notice to be retainable or obtainable and some opposed it as 
burdensome. A few commenters wrote that the Board should delete the 
requirement that the consumer must agree to the electronic form. One 
commenter suggested that the agreement should be implied if the 
customer initiates an electronic transaction.
    NCUA requested comment on whether there are situations where 
providing notice by mail is impracticable. Several commenters suggested 
the credit union should not have to provide the notice by mail if the 
credit union does not have the customer's current address. Some 
commenters suggested that the credit union should not have to provide 
the disclosures at all if it does not have the address or another way 
to contact the customer.
    Section 716.9(e) of the final rule retains the requirement that the 
initial notice, annual notice, and any revised notice be given in a way 
so that the member may either retain them or access them at a later 
time and provides examples, such as mailing the notice to the last 
known address. NCUA acknowledges that, in some cases, credit unions 
will not have any means of delivery.

Subpart B--Limits on Disclosures

Section 716.10  Limits on Disclosure of Nonpublic Personal Information 
to Nonaffiliated Third Parties

    NCUA and the other Agencies are moving the main operative 
provisions from Sec. 716.7 in the proposed rule to Sec. 716.10 in the 
final rule. The proposed rule in Sec. 716.7 required that a credit 
union give the consumer a reasonable opportunity to opt out before it 
discloses the consumer's information. The proposed rule provided an 
example that when a credit union has mailed a privacy notice to a 
customer, he or she will have 30 days to opt out. NCUA invited comment 
on whether 30 days is a reasonable opportunity to opt out in the case 
of notices sent by mail. Several commenters requested that NCUA remove 
the reference to 30 days. Several commenters wrote that 30 days was a 
reasonable time period. A few commenters recommended 15 days and one 
recommended 60 days. The final rule retains 30 days as an example of a 
reasonable period of time to allow the consumer to opt out by mailing a 
form, calling a toll-free number, or any other reasonable means. 12 CFR 
716.10(a)(3)(i).
    NCUA also requested comment on whether an example in the context of 
transactions conducted using an electronic medium would be helpful. One 
commenter wrote that three days was a reasonable period for the 
consumer to opt out when the delivery of the notice was by electronic 
methods. A few commenters requested that the Board specify a uniform 
time frame as a reasonable opt out period, no matter how the credit 
union has delivered the notice. The Board agrees with these commenters. 
The final rule adds an example of reasonable opportunity to opt out by 
electronic means for a member who opens an on-line account with a 
credit union. If the credit union makes the notices available on its 
web site, the member may opt out by any reasonable means within 30 days 
after the date he or she acknowledges receipt of a notice. 12 CFR 
716.10(a)(3)(ii).

[[Page 31732]]

    The proposed rule also provided an example of a reasonable method 
for the consumer to opt out in an isolated transaction. One commenter 
recommended not requiring the opt out to be a necessary part of the 
transaction. A couple of commenters recommended allowing the consumer 
to opt out at a later time by mail. The final rule retains the example 
from the proposed rule. 12 CFR 716.10(a)(3)(iii).
    A couple of commenters requested that the Board clarify the 
description of partial opt outs. The Board believes the description is 
adequate and the final rule retains the description from the proposed 
rule. 12 CFR 716.10(c).

Section 716.11  Limits on Redisclosure and Reuse of Information

    Section 716.12 of the proposed rule implemented the GLB Act's 
limitations on redisclosure and reuse of nonpublic personal information 
about consumers. Section 502(c) provides that a nonaffiliated third 
party that receives nonpublic personal information from a financial 
institution shall not, directly or through an affiliate of the third 
party, disclose the information to any person that is not affiliated 
with either the financial institution or the third party, unless the 
disclosure would be lawful if made directly by the financial 
institution. The final rule revises the language and adds examples.
    Paragraph (a)(1) of the proposed rule set out the GLB Act's 
redisclosure limitation as it applies to a credit union that receives 
information from another financial institution. Paragraph (b)(1) of the 
proposed rule mirrored the provisions of paragraph (a)(1), but applied 
the redisclosure limits to any nonaffiliated third party that receives 
nonpublic personal information from a credit union.
    The Board requested comment on whether subsequent disclosures by 
the third party to parties other than the credit union are lawful. One 
commenter wrote that no third party reuse should be allowed. 
Approximately 11 commenters thought some reuse by third parties should 
be allowed as permitted by law or the exceptions.
    Some of these commenters criticized imposing limits on reuse 
premised on the conclusion that Congress, by addressing limits on 
redisclosures in section 502(c) of the GLB Act, provided the only 
limits that may be imposed on what a recipient of nonpublic personal 
information can do with that information. The Board, consistent with 
the other Agencies, disagrees with that premise. Section 502(c) is 
silent on the question of reuse, making it necessary to look to the 
overall purpose of the statute to determine whether the Board should 
impose limits on the ability of nonaffiliated third parties to reuse 
nonpublic personal information that they receive from a credit union. 
The Board, consistent with the other Agencies, believes that the 
overall purposes of subpart A of Title V of the Act makes it 
appropriate to impose limits on reuse, depending on whether the 
information was obtained pursuant to one of the exceptions in section 
502(e) of the GLB Act (as implemented by Secs. 716.14 and 716.15 of the 
final rule).
    When disclosures are made in connection with one of the purposes 
set out in section 502(e), those disclosures are exempt from the notice 
and opt out protections altogether. A consumer has no right to prohibit 
those disclosures or even to know more than the financial institution 
is making the disclosures ``as permitted by law.'' The only protection 
afforded by the statute for disclosures made under section 502(e) is 
the limited nature of the exceptions. The Board believes it would be 
inappropriate to undermine the protection by allowing the recipient of 
nonpublic personal information to reuse the information for any 
purpose, including marketing.
    By contrast, when a consumer decides not to opt out after being 
given adequate notices and the opportunity to do so, that consumer has 
made a decision to permit the sharing of his or her nonpublic personal 
information to the categories of entities identified in the financial 
institution's notices. The consumer's primary protection in the case of 
a disclosure falling outside the 502(e) exceptions comes from receiving 
the mandatory disclosures and the right to opt out. The statute 
provides only the additional protection in section 502(c), restricting 
a recipient's ability to redisclose information to entities that are 
not affiliated with either the recipient or the financial institution 
making the disclosure initially. Thus, if a consumer permits a 
financial institution to disclose nonpublic personal information to the 
categories of nonaffiliated third parties that are described in the 
institution's notices, recipients of that nonpublic personal 
information appear authorized under the statute to make disclosures 
that comply with those notices.
    To implement this statutory scheme, the Board, consistent with the 
other Agencies, has retained a limit on reuse in addition to the limit 
on redisclosures. The final rule addresses a credit union's disclosure 
of the information it receives from a financial institution to: The 
credit union's own affiliates, the financial institution's affiliates, 
and others. A credit union may disclose the information to its 
affiliates who, in turn, may disclose and use the information only to 
the same extent as the credit union. Second, a credit union may 
disclose the information to the affiliates of the financial institution 
from whom the credit union received the information. Third, a credit 
union may disclose and use the information pursuant to the exceptions 
under Secs. 716.14 and 716.15. The limits on redisclosure and reuse 
that apply to recipients of information and their affiliates will vary, 
depending on whether the information was provided pursuant to one of 
the exceptions in Secs. 716.14 and 716.15.
    If a credit union received the nonpublic personal information from 
a financial institution pursuant to an exception under Secs. 716.14 and 
716.15, the credit union may disclose the information to its affiliates 
or to affiliates of the financial institution from which the 
information was received. In addition, the credit union may disclose 
and use the information pursuant to an exception in 716.14 or 716.15 in 
the ordinary course of business to carry out the activity covered by 
that exception. 12 CFR 716.11(a)(1)(iii). An example of this is if a 
credit union performs correspondent services for another credit union 
and receives a list containing member information, the credit union 
performing the services may disclose the list in response to a subpoena 
or to its attorneys, accountants, or auditors. The credit union could 
not use the list for its own marketing or disclose the list to a third 
party for marketing. The credit union's affiliates may disclose and use 
the information, but only to the extent permissible for the credit 
union.
    If a credit union received the nonpublic personal information from 
a financial institution other than pursuant to an exception under 
Sec. 716.14 or 716.15, the credit union may disclose the information to 
its affiliates or to the affiliates of the financial institution that 
made the initial disclosure. In addition, the credit union may disclose 
the information to any other person if the disclosure would be lawful 
if the financial institution made the disclosure directly to that 
person. The final rule also provides an example. The credit union may 
disclose a list it receives from a financial institution to another 
nonaffiliated third party only if the financial institution could have 
lawfully disclosed it to the nonaffiliated third party. The credit 
union may disclose the list in accordance with the privacy policy of 
the financial institution, as limited by the opt out directions of each

[[Page 31733]]

consumer whose information the credit union intends to disclose. The 
affiliates of the credit union may disclose the information only to the 
extent that the credit union may disclose the information.
    The Board requested comment on whether the rule should require a 
credit union that discloses nonpublic personal information to a 
nonaffiliated third party to develop policies and procedures to ensure 
that the third party complies with the limits on redisclosure of that 
information. Approximately 25 commenters thought that the credit union 
should not be responsible for third party compliance because it would 
be burdensome and unnecessary. A few commenters replied that financial 
institutions should develop policies and procedures on third party 
compliance. A few commenters wrote that the Board should suggest 
confidentiality agreements between credit unions and vendors. One 
commenter suggested that a credit union should use due diligence when 
selecting the third party.
    The Board, consistent with the other Agencies, has given these 
comments due consideration and Sec. 716.11 of the final rule does not 
impose a specific duty on credit unions to monitor third parties' use 
of nonpublic personal information provided by the credit unions. The 
Board notes, however, that credit unions may have contracts in place 
that limit what the recipient may do with the information. The Board 
also notes that the limits on reuse as stated in the final rule provide 
a basis for an action to be brought against an entity that violates 
those limits.
    Paragraphs (c) and (d) of the final rule mirror the provisions of 
paragraphs (a) and (b) of the final rule. The same general redisclosure 
and reuse limits apply to any nonaffiliated financial institution that 
receives nonpublic personal information from a credit union as would 
apply to a credit union that receives such information from a 
nonaffiliated financial institution.

Section 716.12  Limits on Sharing of Account Number Information for 
Marketing Purposes

    Section 502(d) of the GLB Act prohibits a financial institution 
from disclosing, other than to a consumer reporting agency, an account 
number or similar form of access number or access code for a credit 
card account, deposit account, or transaction account of a consumer to 
any nonaffiliated third party for use in telemarketing, direct mail 
marketing, or other marketing through electronic mail to the consumer. 
Proposed Sec. 716.13 restated this statutory prohibition with minor 
stylistic changes intended to make the rule easier to read.
    A few commenters recommended that the Board clarify that these 
limits only apply to credit card accounts, transaction accounts and 
deposit accounts. Several commenters requested that the Agencies 
provide a definition and specific examples of a transaction account. A 
few commenters requested confirmation that transaction accounts do not 
include mortgage accounts or insurance accounts. The final rule 
clarifies that a transaction account is an account other than a share 
account or credit card account, and does not include an account to 
which a third party cannot initiate a charge. 12 CFR 716.12(c)(2).
    The Board also requested comment on whether a flat prohibition 
would disrupt routine, unobjectionable practices. Several commenters 
were concerned that it would disrupt the practices of a service 
provider who prepares and distributes monthly credit union statements 
and includes literature about products with the statement. 
Approximately 18 commenters requested that the Board clarify that the 
scope of the prohibition is narrow. One commenter requested that the 
Agencies adopt this rule unchanged from the proposed and not add any 
exceptions.
    The commenters requested clarification that the limits on sharing 
do not apply to a financial institution itself or those acting on 
behalf of the financial institution. Some credit unions noted that they 
use agents or service providers to conduct marketing on the credit 
union's behalf. This might occur, for instance, when a credit union 
instructs a service provider that assists in the delivery of monthly 
statements to include a ``statement stuffer'' with the statement 
informing consumers about a financial product or service offered by the 
credit union. NCUA, consistent with the other Agencies, recognizes the 
need to disclose account numbers in this instance, and believes that 
there is little risk to the consumer presented by such disclosure. 
Similarly, NCUA recognizes that a credit union may use agents to market 
the credit union's own financial products and services. Commenters 
advocating that the final rule exclude disclosures to agents stated 
that the agents effectively act as the credit union in the marketing of 
its financial products and services. These commenters suggested that 
there was no more reason to preclude sharing the account numbers with 
an agent hired to market the credit union's financial products and 
services than there would be to preclude sharing between two 
departments of the same credit union.
    The final rule provides for an exception to the prohibition on 
account number disclosure to the credit union's agent or service 
provider solely in order to perform marketing for the credit union's 
products or services, as long as the agent or service provider cannot 
directly initiate charges to the account. 12 CFR 716.12(b)(1).
    The Board requested comment on whether the GLB Act prohibits a 
credit union from disclosing encrypted account numbers to a marketing 
firm if the credit union does not provide the key to the marketer. The 
Board also requested comment on whether an exception could avoid 
creating risks that may arise when a third party is provided access to 
a consumer's account. Approximately 21 commenters requested that the 
rule permit a financial institution to disclose an encrypted, 
truncated, scrambled, reference, or similarly coded form number to 
identify a customer. NCUA, consistent with the other Agencies, believes 
that consumers will be adequately protected by disclosures of encrypted 
account numbers that do not enable the recipient to access the 
consumer's account. The final rule provides a negative example that an 
account number, or similar form of access number or code, does not 
include a number or code in an encrypted form, if the credit union does 
not provide the recipient with a means to decode the number or code. 12 
CFR 716.12(c)(1).
    The Board also requested comment on whether a consumer should be 
able to consent to the disclosure of his or her account number and what 
standards should apply. All of the approximately ten commenters who 
commented on this issue wrote that the regulation should state that a 
consumer may consent to disclosure. A few commenters requested that the 
rule permit credit unions to share a customer's account number with a 
third party if the customer actually purchases the marketed product. 
The final rule addresses consumer consent in Sec. 716.15, and does not 
address it again in this section.
    Several commenters requested that a credit union should be able to 
disclose an account number to a participant in a private label credit 
card program or an affinity or similar program where participants are 
identified to the member when the member enters the program. Under 
these programs, a consumer typically will be offered certain benefits, 
often by a retail merchant, in return for using a credit card that is 
issued by a particular financial institution. In the example of a 
private label credit card, the consumer

[[Page 31734]]

understands the need for the merchant and the financial institution to 
share the consumer's account number. The NCUA and the other Agencies 
believe this sort of disclosure is appropriate and does not create a 
significant risk to the consumer. The final rule provides for this 
exception in Sec. 716.12(b)(2) where the participants are identified to 
the consumer at the time the consumer enters into the program.

Subpart C--Exceptions

Section 716.13  Exception to Opt Out Requirements for Service Providers 
and Joint Marketing

    Section 502(b) of the GLB Act creates an exception to the opt out 
rules for the disclosure of information to service providers and for 
marketing. A consumer will not have the right to opt out of disclosing 
nonpublic personal information to nonaffiliated third parties under 
these circumstances, if the credit union satisfies certain 
requirements. Section 502(b) of the GLB Act provides that the financial 
institution must ``fully disclose'' to the consumer that it will 
provide this information to the nonaffiliated third party before the 
information is shared. This disclosure should be provided as part of 
the initial notice that is required by Sec. 716.4. NCUA invited comment 
on whether the proposed rule in Sec. 716.9 appropriately implemented 
the requirement of ``full'' disclosure.
    A couple of commenters suggested that consumers should be fully 
informed of the parties to the joint marketing agreements. One 
supported this approach so that members can report abuses to NCUA. 
Another commenter opposed specific, separate disclosures for joint 
marketing agreements. The Board believes that the notice requirement as 
proposed satisfies the full disclosure requirement of the GLB Act and, 
therefore, retains the same notice requirement in the final rule.
    The GLB Act allows the Agencies to impose requirements on the 
disclosure of information pursuant to the exception for service 
providers beyond those imposed in the statute. NCUA, like the other 
Agencies, did not do so in the proposed rules, but invited comment on 
whether additional requirements should be imposed, and, if so, what 
those requirements should address. Approximately ten commenters wrote 
that the Agencies should reconsider this exception for opt out 
requirements for service providers and also eliminate the notice 
requirement. These commenters wrote that the notice and contract 
requirements under Sec. 502(b) should not apply to outsourcing 
arrangements where the third party agent, processor or server is 
performing operational functions on behalf of the credit union. They 
requested that service providers instead should be exempt from notice 
and opt out requirements under the Sec. 716.10 exception. The final 
rule in Sec. 716.13 retains application of this section to service 
providers because it is statutory.
    One commenter requested that the Agencies provide examples of this 
service provider exception. The exception would apply, for example, to 
service providers whose services are not necessary in order for the 
credit union to provide financial services or products to consumers. 
The final rule provides a new example, that if a credit union discloses 
nonpublic personal information to a financial institution with whom it 
performs joint marketing, the contract must prohibit the institution 
from disclosing or using the information except as necessary to carry 
out the joint marketing or under an exception in Sec. 716.14 or 716.15 
in the ordinary course of business to carry out that marketing.
    The proposed rule in Sec. 716.9 required the credit union to enter 
into a contract with the third party that requires the third party to 
maintain the confidentiality of the information. Several commenters 
requested that the Board exempt existing contracts from the requirement 
of the confidentiality provision or extend the time frame for existing 
contracts to comply. The final rule provides a two-year grandfather 
period for service agreements entered into before July 1, 2000, under 
Sec. 716.18(c).
    The proposed rule in Sec. 716.9 provided that the contract should 
require the third party: (i) To maintain the confidentiality of the 
information at least to the same extent as is required for the credit 
union; and (ii) to use the information solely for the purposes for 
which the information is disclosed or as otherwise permitted by the 
exceptions in Sec. Sec. 716.10 and 716.11 of the proposed rule. The 
final rule in Sec. 716.13 deletes the first provision as redundant and 
clarifies that the use under the exceptions (Sec. Sec. 716.14 and 
716.15 of the final rule) is in the ordinary course of business to 
carry out the purposes for which the credit union disclosed the 
information.
    The Board requested comment on the application of the exception to 
credit unions that contract with credit scoring vendors to evaluate 
borrower creditworthiness. Approximately nine commenters responded that 
the exception should be interpreted so that it does not inhibit credit 
scoring, market response, or consumer behavioral models.
    NCUA sought comment on whether the rule should require a credit 
union to take steps to assure itself that the product being jointly 
marketed and the other participants in the joint marketing agreement do 
not present undue risks for the credit union. Several commenters 
opposed the Board requiring credit unions to take steps to ensure that 
the products and participants do not present undue risks. One commenter 
wrote that Letter to Credit Unions No. 150 already provides adequate 
protection against undue risks. One commenter supported the credit 
unions taking steps against undue risks. The final rule does not add 
new requirements to ensure against undue risks.

Section 716.14  Exceptions to Notice and Opt Out Requirements for 
Processing and Servicing Transactions

    The proposed rule in Sec. 716.13 set out certain exceptions for 
disclosures of nonpublic personal information in connection with the 
administration, processing, servicing, and sale of a consumer's 
account. One commenter suggested the Board should apply the exception 
in cases where the use of information is for the benefit of the credit 
union and not the third party. Several commenters requested that the 
Board make the rule consistent with the plain language of the GLB Act 
and use the terms ``in connection with,'' not ``required'' for 
servicing. NCUA and the other Agencies agree with the commenters. NCUA 
has made stylistic changes and has revised its use of the terms ``in 
connection with'' in the final rule. NCUA has also deleted the 
reference to underwriting insurance at the consumer's request or for 
reinsurance purposes, because credit unions do not engage directly in 
those activities.
    Several of the commenters requested that the Board broaden the 
exception and clarify the definition and list examples of servicing 
transactions. Approximately ten commenters requested that the Board 
clarify that the exceptions should include collection activities or 
products or services associated with a loan, such as those to protect 
collateral securing a loan. Commenters also recommended adding other 
examples to the list of exceptions, such as private label credit cards, 
electronic funds transfer transactions, statement mailing, ATMs, 
mechanical breakdown insurance, gap insurance on leasing, and one 
credit union phoning another to check on available funds before 
depositing a check drawn on the

[[Page 31735]]

other credit union. Some of these examples have been included and the 
Board believes they are sufficiently illustrative of transactions that 
would qualify as servicing transactions.

Section 716.15  Other Exceptions to Notice and Opt Out Requirements

    The proposed rule in Sec. 716.11 set out other exceptions, not made 
in connection with the administration, processing, servicing, and sale 
of a consumer's account. One of the exceptions was for disclosures made 
with the consent or at the direction of the consumer. The Board 
requested comment whether it should add safeguards to this exception to 
minimize the potential for consumer confusion. One commenter 
recommended that the Agencies not allow the consumer consent provision 
to be a way to evade the notice and opt out in the rest of the GLB Act.
    Several commenters wrote that the consumer consent requirement 
should be a flexible requirement that the consumer can exercise by 
phone, email, or Internet. A few commenters requested that the Agencies 
eliminate the consent requirement. A couple of commenters wrote that 
the exception should permit implied consent.
    Approximately ten commenters wrote that the consent exception 
should permit financial institutions to share nonpublic personal 
information about consumers with third parties with whom they have co-
branding and affinity relationships. For example, in these cases, the 
name of a third party who is the provider of a financial product is 
prominently displayed on credit cards or private label cards. If the 
third party is a financial institution, the proposed rule already 
provided an exception to the opt out requirement. Commenters requested 
that the same exception should also apply where the third party is not 
a financial institution. Commenters wrote that an opt out requirement 
would be burdensome and would delay providing customers the benefits 
they expect to receive.
    After considering these comments, the NCUA and the other Agencies 
have decided to adopt this section of the final rule in Sec. 716.15 
virtually as proposed in Sec. 716.11. However, the NCUA and the other 
Agencies are changing the reference in the proposed rule from 
government regulator to federal functional regulator, the Secretary of 
Treasury, a state insurance authority, and the Federal Trade 
Commission.

Subpart D--Relation to Other Laws; Effective Date

Section 716.16   rotection of Fair Credit Reporting Act

    The Agencies and NCUA are adopting Sec. 716.16 as proposed in 
Sec. 716.15.

Section 716.17  Relation to State Laws

    Section 507 of the GLB Act states that Title V does not preempt any 
state law that provides greater protections than are provided by Title 
V. Determinations of whether a state law or Title V provides greater 
protections are to be made by the Federal Trade Commission after 
consultation with the agency that regulates either the party filing a 
complaint or the credit union about whom the complaint was filed. 
Determinations of whether state or federal law afford greater 
protections may be initiated by any interested party or on the Federal 
Trade Commission's own motion.
    Proposed Sec. 716.15 was substantively identical to section 507. 
Although statutorily mandated, many commenters felt compelled to note 
the hardship, if not impossibility, it will be for financial 
institutions to comply with the federal regulation and the many 
different state laws that may apply to them. The difficulties include: 
when to follow state law; what state law to follow; and redesigning 
computer systems to take into account the different requirements.
    One commenter suggested that ``federal credit unions may be subject 
to a state compliance examination'' in states where state law is 
controlling. The Board would treat compliance by a federal credit union 
with a state privacy law the same as it treats a federal credit union's 
compliance with other controlling state law. The NCUA will coordinate 
with the appropriate state regulator to ensure that a federal credit 
union is in compliance with the controlling state privacy provisions.

Section 716.18  Effective Date; Transition Rule

    Section 510 of the GLB Act states that, as a general rule, the 
relevant provisions of Title V take effect 6 months after the date on 
which rules are required to be prescribed. However, section 510(1) 
authorizes the Agencies to prescribe a later date in the rules enacted 
pursuant to section 504.
    Proposed Sec. 716.16(a) had an effective date of November 13, 2000. 
NCUA invited comment on whether six months following adoption of final 
rules was sufficient to enable credit unions to comply with the rules. 
Fifty-four of the 55 commenters that commented on this provision 
requested that the effective date for mandatory compliance be extended. 
The sole dissenting commenter was the Congressional Privacy Caucus.
    The Congressional Privacy Caucus' rationale was that six months is 
sufficient time for financial institutions to comply. The other 54 
commenters offered a variety of reasons why six months is not 
sufficient. Some of the reasons in support of extending the compliance 
date were: operationally and financially it is a burden for financial 
institutions because they must identify customers and consumers and the 
sources and uses of consumer information, train staff, prepare 
disclosure statement and reprogram computers; prompt corrective action 
compliance, Y2K compliance and end of year timing, all make this a 
difficult period for credit unions to comply; credit unions would not 
be able to include the disclosure with their annual statements; this is 
the holiday season which is a busy time for the members and the post 
office; this was not budgeted for in the 2000 budget; and Congress gave 
the Agencies authority to extend the compliance date. Some commenters 
noted that, if financial institutions are required to rush compliance, 
there is a much greater likelihood of mistakes.
    The Board agrees that six months after publication of the final 
rule may be insufficient time in certain instances for a credit union 
to ensure that its forms, systems, and procedures comply with the rule. 
In order to accommodate situations requiring additional time, the Board 
retained the effective date of November 13, 2000, but, consistent with 
its authority under section 510(1) of the GLB Act to extend the 
effective date, the Board will give credit unions until July 1, 2001 to 
be in full compliance with the regulation.
    Credit unions are expected, however, to begin compliance efforts 
promptly, to use the period prior to June 30, 2001, to implement and 
test their systems, and be in full compliance by July 1, 2001. Given 
that this provides credit unions with slightly over 13 months in which 
to comply with the rule, the Board has determined that there no longer 
is any need for a separate phase-in for providing initial notices. 
Thus, a credit union will need to deliver all required opt out notices 
and initial notices before July 1, 2001. The final rule provides a new 
example that the credit union provides an initial notice to consumers 
who are members as of July 1, 2001, if by that date, it has established 
a system for providing initial notice to all new members and has mailed 
the initial notice to all existing members.

[[Page 31736]]

    Credit unions are encouraged to provide disclosures as soon as 
practicable. Depending on the readiness of a credit union to process 
opt out elections, credit unions might wish to consider including the 
privacy and opt out notices in the same mailing as is used to provide 
tax information to members in the first quarter of 2001 to increase the 
likelihood that a member will not mistake the notices for an unwanted 
solicitation. The Board believes that this extension represents a fair 
balance between those seeking prompt implementation of the protections 
afforded by the statute and those concerned about the reliability of 
the systems that are put in place.
    In response to a concern by some commenters that existing service 
contracts may not comply with Sec. 716.13(a)(2) of the final rule, the 
NCUA and the other Agencies are agreeing to postpone the mandatory 
compliance date for existing third party service contracts to state 
that the third party agrees to maintain the confidentiality of 
nonpublic personal information, until July 1, 2002. All third party 
service contracts entered into after July 1, 2000, however, must comply 
with the requirement.

Appendix A

    Approximately 19 commenters requested that the Agencies provide 
sample or model disclosure forms of the notice. The Board, consistent 
with the other Agencies, has provided sample disclosure language in 
Appendix A to its final rule. The Board urges credit unions to 
carefully review whether these clauses accurately reflect a given 
credit union's policies and practices before using the clauses. Credit 
unions are free to use different language and to include as much detail 
as they think is appropriate in their notices.
    The sample clauses are intended to minimize the burden and costs to 
credit unions, including small credit unions. This is especially true 
for small credit unions that only share nonpublic personal information 
with nonaffiliated third parties pursuant to the exceptions provided in 
Sec. Sec. 716.14 and 716.15. These credit unions may provide relatively 
simple initial and annual notices to members.

III. Regulatory Procedures

A. Paperwork Reduction Act

    NCUA has submitted the reporting requirements in Parts 716 and 741 
to the Office of Management and Budget and is awaiting approval and 
issuance of a new OMB control number (3133;____). Approximately 20 
commenters wrote that this regulation will result in increased costs. 
Several commenters also wrote that there will be increased paperwork 
burden. Commenters cited dollar amounts from $500 to ten million 
dollars, for system changes, staff hours, and mailing costs. A few 
commenters wrote that the cost may depend on what their vendors will 
charge to upgrade their systems. One commenter wrote that there would 
be no increased costs. Under the Paperwork Reduction Act of 1995, no 
persons are required to respond to a collection of information unless 
it displays a valid OMB number. The control number will be displayed in 
the table at 12 CFR part 795.

B. Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601-612) requires, subject 
to certain exceptions, that NCUA prepare an initial regulatory 
flexibility analysis (IRFA) with a proposed rule and a final regulatory 
flexibility analysis (FRFA) with a final rule, unless NCUA certifies 
that the rule will not have a significant economic impact on a 
substantial number of small credit unions. For purposes of the 
Regulatory Flexibility Act, and in accordance with NCUA's authority 
under 5 U.S.C. 601(4), NCUA has determined that small credit unions are 
those with less than one million dollars in assets. See 12 CFR 
791.8(a). NCUA's final rule will apply to approximately 1,626 small 
credit unions, out of a total of approximately 10,627 federally-insured 
credit unions.
    At the time of issuance of the proposed rule, NCUA could not make 
such a determination for certification. Therefore, NCUA issued an IRFA 
pursuant to section 603 of the Regulatory Flexibility Act. After 
reviewing the comments submitted in response to the proposed rule, NCUA 
believes that it does not have sufficient information to determine 
whether the final rule would have a significant economic impact on a 
substantial number of small credit unions. Therefore, pursuant to 
section 604 of the Regulatory Flexibility Act, NCUA provides the 
following FRFA.
    This FRFA incorporates NCUA's initial findings, as set forth in the 
IRFA; addresses the comments submitted in response to the IRFA; and 
describes the steps NCUA has taken in the final rule to minimize the 
impact on small entities, consistent with the objectives of the GLB 
Act. Also, in accordance with Section 212 of the Small Business 
Regulatory Enforcement Fairness Act of 1996 (Public Law 104-121), NCUA 
will in the near future issue a Small Credit Union Compliance Guide to 
assist small credit unions in complying with this rule.
    1. Statement of the Need and Objectives of the Rule. The final rule 
implements the provisions of Title V, Subtitle A of the GLB Act 
addressing consumer privacy. In general, these statutory provisions 
require financial institutions to provide notice to consumers about an 
institution's privacy policies and practices, restrict institutions 
from sharing nonpublic personal information about consumers with 
nonaffiliated third parties, and permit consumers to prevent 
institutions from disclosing nonpublic personal information about them 
to certain nonaffiliated third parties by ``opting out'' of that 
disclosure. Section 504 of the GLB Act requires NCUA and the other 
Agencies, in consultation with representatives of state insurance 
authorities, to prescribe ``such regulations as may be necessary'' to 
carry out the purposes of Title V, Subtitle A. NCUA believes that the 
final rule gives credit unions greater certainty on how to comply with 
the statute.
    2. Summary of Significant Issues Raised in Public Comments and 
Assessment of Issues. NCUA does not have a practicable or reliable 
basis for quantifying the costs of the proposed rule or any 
alternatives, but sought comment on the potential costs. NCUA 
specifically requested information on the costs of creating privacy 
policy disclosures, distributing privacy policy disclosures, 
implementing ``opt out'' disclosure and processing requirements, and 
complying with the proposed rule in its entirety.
    The comments varied, and were not specific to small credit unions. 
Approximately 20 commenters wrote that this regulation will result in 
increased costs. Commenters cited dollar amounts from $500 to ten 
million dollars, for system changes, staff hours, and mailing costs. A 
few commenters wrote that the cost may depend on what their vendors 
will charge to upgrade their systems. One commenter wrote that there 
would be no increased costs.
    After considering the comments received, NCUA does not have a 
practicable or reliable basis for quantifying the costs of implementing 
the requirements of the GLB Act. We expect that compliance costs will 
vary significantly between credit unions depending on information 
sharing practices.
    NCUA believes that the new compliance requirements will indeed 
create additional economic costs for some credit unions, especially 
those that choose to disclose information to nonaffiliated third 
parties. Most, if not,

[[Page 31737]]

all of these costs result from requirements expressly mandated by the 
GLB Act. These costs include, but are not limited to: (1) Reviewing 
current information sharing practices; (2) determining operational and 
computer programming changes necessary; (3) identifying sources and 
uses of member information; (4) preparing disclosure forms; and (5) 
training staff. Credit unions that disclose nonpublic personal 
information about consumers to nonaffiliated third parties will be 
required to provide opt out notices to consumers, as well as a 
reasonable opportunity to opt out of certain disclosures. These credit 
unions will have to develop systems for keeping track of consumers' opt 
out directions. Some credit unions, particularly those that disclose 
nonpublic information about consumers to nonaffiliated third parties, 
may need the advice of legal counsel to ensure that they comply with 
the rule.
    However, NCUA continues to believe that the costs of implementing 
the opt out provisions of the final rule will be insubstantial for 
credit unions that do not disclose nonpublic personal information about 
consumers to nonaffiliated third parties. These credit unions may 
provide relatively simple initial and annual notices to consumers with 
whom they establish member relationships. However, NCUA cannot 
determine either the number or identity of credit unions that will not 
disclose nonpublic personal information about consumers to 
nonaffiliated third parties.
    In the IRFA, NCUA recognized that the Congressional Conferees on 
the Act wished to ensure that smaller financial institutions are not 
placed at a competitive disadvantage by a statutory regime that permits 
certain information to be shared freely within an affiliate structure 
while limiting the ability to share that same information with 
nonaffiliated third parties. The Conferees stated that, in prescribing 
regulations, the federal regulatory agencies should take into 
consideration any adverse competitive effects upon small commercial 
banks, thrifts, and credit unions. See H.R. Conf. Rep. No. 106-434, at 
173 (1999).
    Accordingly, NCUA also sought comment on whether the requirements 
of the Act and this rule will create additional burden for small credit 
unions, particularly those that disclose nonpublic personal information 
about consumers to nonaffiliated third parties. In connection with any 
such burden, NCUA requested comment on whether any exemptions for small 
credit unions would be appropriate. A few commenters suggested that 
small credit unions not have to provide opt out notices, but those 
suggestions were not consistent with the objectives of the GLB Act. 
Although NCUA could exempt small credit unions from providing a notice 
and opportunity for consumers to opt out of certain information 
disclosures, NCUA does not believe that such an exemption would be 
appropriate, given the purpose of the Act to protect the 
confidentiality and security of nonpublic personal information about 
consumers.
    Several commenters noted that small credit unions are penalized by 
the definition of ``control'' in the rule. The Board has added an 
example to the definition of control that will assist small credit 
unions.
    Further, NCUA, consistent with the other Agencies, has revised some 
of the requirements in the final rule so that they are less burdensome. 
The discussion below reviews some of the other significant changes:
    a. Sample disclosure clauses (Appendix A to Part 716) and 
Compliance Guide for Certain Credit Unions (Supplementary Information, 
Part V). Many commenters expressed concern over the amount of detail 
that appears to be required in both initial and annual notices. In 
addition, many of the commenters requested model forms for guidance as 
to the level of detail required. NCUA did not intend for the 
disclosures to be overly detailed and thus, burdensome for credit 
unions and potentially overwhelming for consumers. In response to these 
comments, Appendix A to Part 716 contains sample clauses to clarify the 
level of detail that NCUA believes is necessary and appropriate to be 
consistent with the statute.
    NCUA has also provided additional assistance under the caption 
``Guidance for Certain Credit Unions'' (Guidance). Supplementary 
Information, Part V. The Guidance generally clarifies the operation of 
the final rule. It also provides an example of a notice for small 
credit unions that only share nonpublic personal information with 
nonaffiliated third parties pursuant to the exceptions provided in 
Secs. 716.14 and 716.15. The Guidance may be used in conjunction with 
the sample clauses contained in Appendix A.
    The sample clauses under Appendix A and the Guidance are intended 
to minimize the burden and costs to credit unions, including small 
credit unions. This is especially true for small credit unions that 
only share nonpublic personal information with nonaffiliated third 
parties pursuant to the exceptions provided in Secs. 716.14 and 716.15. 
These credit unions may provide relatively simple initial and annual 
notices to members.
    b. Definition of nonpublic personal information. In the preamble to 
the proposed rule, NCUA offered for comment two alternatives for 
defining nonpublic personal information. The first, (Alternative A) 
deemed information as publicly available only if a credit union 
actually obtained the information from a public source, whereas the 
second (Alternative B) treated information as publicly available if a 
credit union could obtain it from such a source. A significant majority 
of commenters favored Alternative B. Many commenters suggested that 
implementing Alternative A would be overly burdensome. Credit unions 
would have to develop some sort of methodology to distinguish between 
information obtained from consumers, versus information obtained 
through public sources. In response to these comments, the final rule 
adopts a modified version of Alternative B (refer to Section-by-section 
analysis for additional information) that treats information as 
publicly available if a credit union could obtain the information from 
a public source. The final rule addresses the concerns of credit 
unions--including small credit unions--by adopting the least 
economically burdensome definition of nonpublic personal information.
    c. Effective date. Section 510 of the GLB Act states that, as a 
general rule, the relevant provisions of Title V take effect six months 
after the date on which rules are required to be prescribed, i.e., 
November 12, 2000. However, section 510(1) authorizes the NCUA and the 
other Agencies to prescribe a later date in the rules enacted pursuant 
to section 504. The proposed rule sought comment on the effective date 
prescribed by the statute. The overwhelming majority of commenters 
requested additional time to comply with the final rule. Several 
commenters noted that credit unions may encounter difficulty managing 
the expenses and resources required to comply with the final rule as 
the credit union's budget for the current year was established prior to 
the issuance of the proposed regulation. This may be especially true 
for small credit unions that face already tight budgetary constraints 
due to heightened competition. In response to these concerns, NCUA has 
retained the effective date of November 13, 2000, but, consistent with 
its authority under section 510(1) of the GLB Act to extend the 
effective date, NCUA will give credit unions until July 1, 2001 to be 
in full compliance with the regulation. This

[[Page 31738]]

additional time will allow credit unions to properly budget for any 
necessary expenses and staff resources required to comply with this 
rule and to make all necessary operational changes.
    d. New notices not required for each new financial product or 
service. Some commenters expressed concern that the proposed rule may 
require a new initial notice each time a consumer obtains a new 
financial product or service. This would be especially burdensome for 
credit unions that adopt a universal privacy policy that covers 
multiple products and services. To address these concerns and minimize 
economic burden, the final rule was clarified to instruct credit unions 
that a new initial notice is not required if the credit union has given 
its initial notice to the member, and that initial notice remains 
accurate with respect to the new product or service.
    e. Short form initial notice for consumers. In the proposed rule, 
credit unions were required to provide consumers a copy of a credit 
union's complete initial notice even when there is no member 
relationship. NCUA agrees with commenters that suggested that the 
statute's objectives for the initial notice requirements could be 
achieved in a less burdensome way. Therefore, NCUA has exercised its 
exemptive authority as provided in section 504(b) to create an 
exception to the general rule that otherwise requires a credit union to 
provide a consumer with both the initial and opt out notices before 
disclosing nonpublic personal information about that consumer to 
nonaffiliated third parties. A credit union may provide a ``short-
form'' initial notice along with the opt out notice to a consumer with 
whom the credit union does not have a member relationship. This short-
form notice must state that the disclosure containing information about 
the credit union's privacy policies and practices is available upon 
request and provide one or more reasonable means by which the consumer 
may obtain a copy of the notice. This provision in the final rule will 
lessen the burden on credit unions, including small credit unions.
    3. Steps to Minimize the Significant Economic Impact on Small 
Entities Consistent with the Objectives of the GLB Act. The objectives 
of Title V of the GLB Act are that each financial institution has an 
affirmative and continuing obligation to respect the privacy of its 
consumers and to protect the security and confidentiality of those 
consumers' nonpublic personal information. NCUA carefully considered 
comments that suggested a variety of alternatives that could minimize 
the economic and overall burden of complying with the final rule. As 
stated above, NCUA has made changes to the proposal as a result of the 
comments that it hopes will ease the burden for small credit unions.
    Nonetheless, the statute does not authorize the NCUA to create 
exemptions from the GLB Act based on a credit union's size or to 
mandate different compliance standards for small credit unions. The 
rule applies to all federally-insured credit unions, regardless of 
size. Moreover, different compliance standards would be inconsistent 
with the purposes of the GLB Act.
    NCUA believes that the burden is relatively small for credit unions 
that only disclose nonpublic personal information about consumers to 
nonaffiliated third parties pursuant to the exceptions provided under 
Secs. 716.14 and 716.15. NCUA's determination is based on an analysis 
of comments received in response to the proposed rule. These credit 
unions may provide relatively simple initial and annual notices to 
consumers with whom they establish member relationships. At this time, 
it is not clear if information-sharing among affiliates in large 
institutional entities will place small credit unions at a 
disadvantage. NCUA believes that further experience under the 
regulation would be appropriate before considering any exemptions in 
this area for small credit unions.

C. Executive Order 13132

    Executive Order 13132 encourages independent regulatory agencies to 
consider the impact of their regulatory actions on state and local 
interests. In adherence to fundamental federalism principles, NCUA, an 
independent regulatory agency as defined in 44 U.S.C. 3502(5), 
voluntarily complies with the executive order. This final rule will 
apply to all federally-insured credit unions, but it will not have 
substantial direct effects on the states, on the relationship between 
the national government and the states, or on the distribution of power 
and responsibilities among the various levels of government. Section 
507 of the GLB Act states that state law may provide greater consumer 
protections than this proposed rule. In that event, federal law would 
not preempt state law. NCUA has determined the proposed rule does not 
constitute a policy that has federalism implications for purposes of 
the executive order.

D. Small Business Regulatory Enforcement Fairness Act

    The Small Business Regulatory Enforcement Fairness Act of 1996 
(Pub. L. 104-121) provides generally for congressional review of agency 
rules. A reporting requirement is triggered in instances where NCUA 
issues a final rule as defined by section 551 of the Administrative 
Procedures Act. 5 U.S.C. 551. NCUA has recommended to The Office of 
Management and Budget that it determine that this is not a major rule, 
and is awaiting its determination.

E. The Treasury and General Government Appropriations Act, 1999--
Assessment of Federal Regulations and Policies on Families

    NCUA has determined that the final rule will not affect family 
well-being within the meaning of section 654 of the Treasury and 
General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 
2681 (1998).

IV. Agency Regulatory Goal

    NCUA's goal is clear, understandable regulations that impose 
minimal regulatory burden. Some commenters responded that the rule is 
not understandable and intrusive if implemented as proposed. The 
majority of the commenters did not address this issue.

V. Guidance for Certain Credit Unions

    To minimize the burden and costs to a credit union and generally 
clarify the operation of the final rule, NCUA and the other Agencies 
are including this compliance guide that may be used in conjunction 
with the sample clauses contained in Appendix A. This guide 
specifically applies to a credit union that: (1) Does not have any 
affiliates; only discloses nonpublic personal information to 
nonaffiliated third parties in accordance with an exception under 
Sec. Sec. 716.14 and 716.15, such as in connection with servicing or 
processing a financial product or service that a consumer requests or 
authorizes; and (3) does not intend to reserve the right to disclose 
nonpublic personal information to nonaffiliated third parties, except 
under Sec. Sec. 716.14 and 716.15.\1\
---------------------------------------------------------------------------

    \1\ A credit union that discloses or reserves the right to 
disclose nonpublic personal information to a nonaffiliated third 
party under other circumstances must comply with other provisions in 
the rule, notably Secs. 716.7, 716.8, and 716.3, if applicable. A 
creidt union that discloses or reserves the right to disclose 
nonpublic personal information to an affiliate must comply with 
other provisions in the rule, notably Sec. 716.6(a)(7), if 
applicable.
---------------------------------------------------------------------------

    In general, if a credit union discloses nonpublic personal 
information to nonaffiliated third parties only as

[[Page 31739]]

authorized under an exception, then that credit union's only 
responsibilities under the regulation are to provide an initial and 
annual notice of its privacy policies and practices to each of its 
members. The credit union is not required to provide an opt out notice 
to its member.
    A. Initial notice to members. A credit union must provide a notice 
of its policies and practices to each of its members. A member is a 
natural person who has a continuing relationship with a credit union, 
as described in Sec. 716.4(c). For instance, an individual who is 
accepted for membership under the credit union's bylaws is a member of 
that credit union. By contrast, an individual who uses a credit union's 
ATM to withdraw funds from a checking account maintained at another 
financial institution is not a member of that credit union. Even if an 
individual repeatedly uses a credit union's ATM that individual is not 
the credit union's member. In other words, the credit union is 
obligated to provide an initial and annual notices to each of its own 
members, but not its consumers.
    B. Time to provide initial notice. A credit union must provide a 
notice of its policies and practices to each of its members not later 
than when it establishes a member relationship (Sec. 716.4(a)(1)). For 
instance, a credit union must provide a notice to an individual not 
later than when he or she is accepted for membership. Thus, a credit 
union can provide the notice to a potential member together with the 
membership agreement and signature card.
    If an existing member of a credit union obtains a new financial 
product or service from it, that credit union need not provide another 
initial notice to him or her (Sec. 716.4(d)) if the initial notice has 
covered the subsequent product.
    For instance, if Alison Individual walks into Credit Union for the 
first time on July 2, 2001, to apply for membership and open a share 
account, Credit Union complies with this provision of the rule if it 
provides an initial notice to Alison together with the documents that 
constitute the contract for membership and the share account. When 
Alison is accepted for membership and opens her account on that day, 
she becomes a member of Credit Union. Allison maintains her membership 
and, six months later, returns to Credit Union to obtain a loan. If the 
initial notice that Credit Union provided to Alison was accurate when 
she became a member and opened her account, then Credit Union need not 
provide another initial notice to her when she obtains the loan because 
it has provided the notice to Allison when she became a member.
    C. Method of providing the initial notice. A credit union must 
provide its initial notice so that each member can reasonably be 
expected to receive actual notice, in writing, of its privacy policies 
and practices (Sec. 716.9(a)). For example, a credit union may provide 
the initial notice by mailing a printed copy of it together with the 
documents and other materials that constitute the share account 
agreement or at an earlier time. Similarly, a credit union may provide 
the initial notice by hand-delivering a printed copy of it to the 
member together with the documents that constitute the membership and 
share account agreement or at an earlier time.
    D. Compliance with initial notice requirement for existing members 
by effective date. A credit union is required to provide an initial 
notice to each of its current members not later than July 1, 2001 
(Sec. 716.18(b)). A credit union complies with this provision of the 
rule if it mails a printed copy of the notice to the member's last 
known address.
    E. Annual notice. During the continuation of the member 
relationship, a credit union also must provide an annual notice to the 
member, as described in Sec. 716.5(a). A credit union must provide an 
annual notice to each member at least once in any period of 12 
consecutive months during which the member relationship exists. A 
credit union may define the 12-consecutive-month period, but must 
consistently apply that period to the member. A credit union may define 
the 12-consecutive-month period as a calendar year and provide the 
annual notice to the member once in each calendar year following the 
calendar year in which it provided the initial notice.
    For example, assume that Credit Union defines the 12-consecutive-
month period as a calendar year and provides annual notices to all of 
its members on October 1 of each year. If Alison Individual is accepted 
for membership by Bonanza on July 2, 2001, and thereby becomes a 
member, then Credit Union must provide an initial notice to Alison 
together with the documents that constitute the contract for membership 
or at an earlier time. Credit Union also must provide an annual notice 
to Alison by December 31, 2002. If Credit Union provides an annual 
notice to Alison on October 1, 2002, as it does for other members, then 
it must provide the next annual notice to Alison not later than October 
1, 2003.
    F. Method of providing the annual notice. Like the initial notice, 
the annual notice must be provided so that each member can reasonably 
be expected to receive actual notice, in writing, of a credit union's 
privacy policies and practices (Sec. 716.9(a)). A credit union complies 
with this provision of the rule if it mails a printed copy of the 
notice to the member's last known address.
    G. Joint accounts. If two or more members jointly obtain a 
financial product or service, other than a loan, then a credit union 
may provide one initial notice to those members jointly. Similarly, a 
credit union may provide one annual notice to those members jointly.
    H. Information described in the initial and annual notices. The 
initial and annual notices must include an accurate description of the 
following four items of information:
    1. The categories of nonpublic personal information that the credit 
union collects (Sec. 716.6(a)(1));
    2. The fact that the credit union does not disclose nonpublic 
personal information about its current members to affiliates or 
nonaffiliated third parties, except as authorized by Sec. Sec. 716.14 
and 716.15 (Sec. 716.6(a)(2)-(3)). When describing the categories with 
respect to those parties, the credit union is required to state only 
that it makes disclosures to other nonaffiliated third parties as 
permitted by law (Sec. 716.6(c));
    3. The categories of nonpublic personal information about the 
credit union's former members that it discloses and the categories of 
affiliates and nonaffiliated third parties to whom it discloses 
nonpublic personal information about its former members 
(Sec. 716.6(a)(4));
    4. The credit union's policies and practices with respect to 
protecting the confidentiality and security of nonpublic personal 
information (Sec. 716.6(a)(8)).
    For each of these four items of information above, a credit union 
may use a sample clause contained in Appendix A. The NCUA Board 
emphasizes that a credit union may use a sample clause only if that 
clause accurately describes its actual policies and practices.
    I. Sample notice. A credit union (``Credit Union'') that (i) does 
not have any affiliates and (ii) only discloses nonpublic personal 
information to nonaffiliated third parties as authorized under 
Sec. Sec. 716.14 and 716.15, may comply with the requirements of 
Sec. 716.6 of the rule by using the following sample notice, if 
applicable.
    Credit union collects nonpublic personal information about you from 
the following sources:
     Information we receive from you on applications or other 
forms;

[[Page 31740]]

     Information about your transactions with us or others; and
     Information we receive from a consumer reporting agency. 
\2\
---------------------------------------------------------------------------

    \2\ A credit union is required to describe only those general 
categories that apply to its policies and practices. Accordingly, if 
a credit union does not collect information from ``a consumer 
reporting agency,'' for instance, then it need not describe that 
category in its notices.
---------------------------------------------------------------------------

    We do not disclose any nonpublic personal information about you to 
anyone, except as permitted by law.
    If you decide to terminate your membership or become an inactive 
member, we will adhere to the privacy policies and practices as 
described in this notice.
    Credit union restricts access to your personal and account 
information to those employees who need to know that information to 
provide products or services to you. Credit union maintains physical, 
electronic, and procedural safeguards that comply with federal 
regulations to guard your nonpublic personal information.
    J. Initial and annual notices must be clear and conspicuous. NCUA 
emphasizes that a credit union must ensure that both the initial and 
annual notices must be clear and conspicuous, as defined in 
Sec. 716.3(b).

List of Subjects

12 CFR Part 716

    Consumer protection, Credit unions, Privacy, Reporting and 
recordkeeping requirements.

12 CFR Part 741

    Bank deposit insurance, Credit unions, Reporting and recordkeeping 
requirements.

    By the National Credit Union Administration Board on May 8, 
2000.
Sheila A. Albin,
Acting Secretary of the Board.

    For the reasons set out in the preamble, it is proposed that 12 CFR 
chapter VII be amended by adding a new part 716 to read as follows:

PART 16--PRIVACY OF CONSUMER FINANCIAL INFORMATION

Sec.
716.1   Purpose and scope.
716.2   Rule of construction.
716.3   Definitions.
Subpart A--Privacy and Opt Out Notices
716.4   Initial privacy notice to consumers required.
716.5   Annual privacy notice to members required.
716.6   Information to be included in initial and annual privacy 
notices.
716.7   Form of opt out notice to consumers and opt out methods.
716.8   Revised privacy notices.
716.9   Delivering privacy and opt out notices.
Subpart B--Limits on Disclosures
716.10   Limits on disclosure of nonpublic personal information to 
nonaffiliated third parties.
716.11   Limits on redisclosure and reuse of information.
716.12   Limits on sharing of account number information for 
marketing purposes.
Subpart C--Exceptions
716.13   Exception to opt out requirements for service providers and 
joint marketing.
716.14   Exceptions to notice and opt out requirements for 
processing and servicing transactions.
716.15   Other exceptions to notice and opt out requirements
Subpart D--Relation To Other Laws; Effective Date
716.16   Protection of Fair Credit Reporting Act.
716.17   Relation to state laws.
716.18   Effective date; transition rule.

Appendix A to Part 716--Sample Clauses

    Authority: 15 U.S.C. 6801 et seq., 12 U.S.C. 1751 et seq.


Sec. 716.1  Purpose and scope.

    (a) Purpose. This part governs the treatment of nonpublic personal 
information about consumers by the credit unions listed in paragraph 
(b) of this section. This part:
    (1) Requires a credit union to provide notice to members about its 
privacy policies and practices;
    (2) Describes the conditions under which a credit union may 
disclose nonpublic personal information about consumers to 
nonaffiliated third parties; and
    (3) Provides a method for consumers to prevent a credit union from 
disclosing that information to most nonaffiliated third parties by 
``opting out'' of that disclosure, subject to the exceptions in 
Sec. Sec. 716.13, 716.14, and 716.15.
    (b) Scope. (1) This part applies only to nonpublic personal 
information about individuals who obtain financial products or services 
for personal, family or household purposes. This part does not apply to 
information about companies or about individuals who obtain financial 
products or services for business, commercial or agricultural purposes. 
This part applies to federally-insured credit unions. This part refers 
to a federally-insured credit union as ``you'' or ``the credit union.''
    (2) Nothing in this part modifies, limits, or supersedes the 
standards governing individually identifiable financial information 
promulgated by the Secretary of Health and Human Services under the 
authority of Secs. 262 and 264 of the Health Insurance Portability and 
Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).


Sec. 716.2  Rule of construction.

    The examples in this part and the sample clauses in appendix A of 
this part are not exclusive. Compliance with an example or use of a 
sample clause, to the extent applicable, constitutes compliance with 
this part.


Sec. 716.3  Definitions.

    As used in this part, unless the context requires otherwise:
    (a)(1) Affiliate means any company that controls, is controlled by, 
or is under common control with another company.
    (2) Examples. (i) An affiliate of a federal credit union is a 
credit union service organization (CUSO), as provided in 12 CFR part 
712, that is controlled by the federal credit union.
    (ii) An affiliate of a federally-insured, state-chartered credit 
union is a company that is controlled by the credit union.
    (b)(1) Clear and conspicuous means that a notice is reasonably 
understandable and designed to call attention to the nature and 
significance of the information in the notice.
    (2) Examples. (i) Reasonably understandable. You make your notice 
reasonably understandable if you:
    (A) Present the information contained in the notice in clear, 
concise sentences, paragraphs and sections;
    (B) Use short, explanatory sentences or bullet lists whenever 
possible;
    (C) Use definite, concrete, everyday words and active voice 
whenever possible;
    (D) Avoid multiple negatives;
    (E) Avoid legal and highly technical business terminology wherever 
possible; and
    (F) Avoid explanations that are imprecise and readily subject to 
different interpretations.
    (ii) Designed to call attention. You design your notice to call 
attention to the nature and significance of the information in it if 
you:
    (A) Use a plain-language heading to call attention to the notice;
    (B) Use a typeface and type size that are easy to read;
    (C) Provide wide margins and ample line spacing;
    (D) Use boldface or italics for key words; and
    (E) In a form that combines your notice with other information, use 
distinctive type size, style, and graphic devices, such as shading or 
sidebars.

[[Page 31741]]

    (iii) Notices on web sites. If you provide notices on a web page, 
you design your notice to call attention to the nature and significance 
of the information in it if you use text or visual cues to encourage 
scrolling down the page if necessary to view the entire notice and 
ensure that other elements on the web site (such as text graphics, 
hyperlinks or sound) do not distract attention form the notice, and you 
either:
    (A) Place the notice on a screen frequently accessed by consumers, 
such as a home page or a page on which transactions are conducted; or
    (B) Place a link on a screen frequently accessed by consumers, such 
as a home page or a page on which transactions are conducted, that 
connects directly to the notice and is labeled appropriately to convey 
the importance, nature and relevance of the notice.
    (c) Collect means to obtain information that you organize or can 
retrieve by the name of an individual or by identifying number, symbol, 
or other identifying particular assigned to the individual, 
irrespective of the source of the underlying information.
    (d) Company means any corporation, limited liability company, 
business trust, general or limited partnership, association or similar 
organization.
    (e)(1) Consumer means an individual who obtains or has obtained a 
financial product or service from you, that is to be used primarily for 
personal, family or household purposes, or that individual's legal 
representative.
    (2) Examples. (i) An individual who provides nonpublic personal 
information to you in connection with obtaining or seeking to obtain 
credit union membership is your consumer regardless of whether you 
establish a member relationship.
    (ii) An individual who provides nonpublic personal information to 
you in connection with using your ATM is your consumer.
    (iii) If you hold ownership or servicing rights to an individual's 
loan, the individual is your consumer, even if you hold those rights in 
conjunction with one or more financial institutions. (The individual is 
also a consumer with respect to the other financial institutions 
involved). This applies, even if you, or another financial institution 
with those rights, hire an agent to collect on the loan or to provide 
processing or other services.
    (iv) An individual who is a consumer of another financial 
institution is not your consumer solely because you act as agent for, 
or provide processing or other services to, that financial institution.
    (v) An individual is not your consumer solely because he or she is 
a participant or a beneficiary of an employee benefit plan that you 
sponsor or for which you act as a trustee or fiduciary.
    (f) Consumer reporting agency has the same meaning as in section 
603(f) of the Fair Credit Reporting Act (15 U.S.C. 1681a(f)).
    (g) Control of a company means:
    (1) Ownership, control, or power to vote 25 percent or more of the 
outstanding shares of any class of voting security of the company, 
directly or indirectly, or acting through one or more other persons;
    (2) Control in any manner over the election of a majority of the 
directors, trustees or general partners (or individuals exercising 
similar functions) of the company; or
    (3) The power to exercise, directly or indirectly, a controlling 
influence over the management or policies of the company, as the NCUA 
determines. With respect to state-chartered credit unions, NCUA will 
consult with the appropriate state regulator prior to making its 
determination.
    (4) Example. NCUA will presume a credit union has a controlling 
influence over the management or policies of a CUSO, if the CUSO is 67% 
owned by credit unions.
    (h) Credit union means a federal or state-chartered credit union 
that the National Credit Union Share Insurance Fund insures.
    (i) Customer means a consumer who has a customer relationship with 
a financial institution other than a credit union.
    (j) Customer relationship means a continuing relationship between a 
consumer and a financial institution other than a credit union.
    (k) Federal functional regulator means--
    (1) The National Credit Union Administration Board;
    (2) The Board of Governors of the Federal Reserve System;
    (3) The Office of the Comptroller of the Currency;
    (4) The Board of Directors of the Federal Deposit Insurance 
Corporation;
    (5) The Director of the Office of Thrift Supervision; and
    (6) The Securities and Exchange Commission.
    (l)(1)Financial institution means any institution the business of 
which is engaging in activities that are financial in nature or 
incidental to such financial activity as described in section 4(k) of 
the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).
    (2) Examples of financial institutions may include, but are not 
limited to: credit unions; banks; insurance companies; securities 
brokers, dealers, and underwriters; loan brokers and servicers; tax 
planners and preparation services; personal property appraisers; real 
estate appraisers; career counselors for employees in financial 
occupations; digital signature services; courier services; real estate 
settlement services; manufacturers of computer software and hardware; 
and travel agencies operated in connection with financial services.
    (3) Financial institution does not include:
    (i) Any person or entity with respect to any financial activity 
that is subject to the jurisdiction of the Commodity Futures Trading 
Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.);
    (ii) The Federal Agricultural Mortgage Corporation or any entity 
chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 
2001 et seq.); or
    (iii) Institutions chartered by Congress specifically to engage in 
securitizations, secondary market sales (including sales of servicing 
rights) or similar transactions related to a transaction of a consumer, 
as long as such institutions do not sell or transfer nonpublic personal 
information to a nonaffiliated third party.
    (m) (1) Financial product or service means any product or service 
that a financial holding company could offer by engaging in an activity 
that is financial in nature or incidental to such a financial activity 
under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)).
    (2) Financial service includes your evaluation or brokerage of 
information that you collect in connection with a request or an 
application from a consumer for a financial product or service.
    (n) Member means a consumer who has a member relationship with you. 
For purposes of this part only, it will include certain nonmembers.
    (o)(1) Member relationship means a continuing relationship between 
a consumer and you under which you provide one or more financial 
products or services to the consumer that are to be used primarily for 
personal, family or household purposes. As noted in the examples, this 
will include certain consumers that are not your members.
    (2) Examples. (i) A consumer has a continuing relationship with you 
if the consumer:
    (A) Is your member as defined in your bylaws;
    (B) Is a nonmember who has a share, share draft, or credit card 
account with you jointly with a member;

[[Page 31742]]

    (C) Is a nonmember who has a loan that you service;
    (D) Is a nonmember who has an account with you and you are a credit 
union that has been designated as a low-income credit union; or
    (E) Is a nonmember who has an account in a federally-insured, 
state-chartered credit union pursuant to state law.
    (ii) A consumer does not, however, have a member relationship with 
you if the consumer is a nonmember and:
    (A) The consumer only obtains a financial product or service in 
isolated transactions, such as using your ATM to withdraw cash from an 
account maintained at another financial institution or purchasing 
travelers checks; or
    (B) You sell the consumer's loan and do not retain the rights to 
service that loan. (p)(1) Nonaffiliated third party means any person 
except:
    (i) Your affiliate; or
    (ii) A person employed jointly by you and any company that is not 
your affiliate (but nonaffiliated third party includes the other 
company that jointly employs the person).
    (q)(1) Nonpublic personal information means:
    (i) Personally identifiable financial information; and
    (ii) Any list, description or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
using any personally identifiable financial information.
    (2) Nonpublic personal information does not include:
    (i) Publicly available information, except as included on a list 
described in paragraph (q)(1)(ii) of this section; or
    (ii) Any list, description, or other grouping of consumers (and 
publicly available information pertaining to them) that is derived 
without using any personally identifiable financial information, other 
than publicly available information.
    (3) Examples of lists. (i) Nonpublic personal information includes 
any list of individuals' names and street addresses that is derived in 
whole or in part using personally identifiable financial information, 
other than publicly available information, such as account numbers.
    (ii) Nonpublic personal information does not include any list of 
individuals' names and addresses that contains only publicly available 
information, is not derived using personally identifiable financial 
information, other than publicly available information, either in whole 
or in part, and is not disclosed in a manner that indicates that any of 
the individuals on the list is a consumer of a credit union, other than 
publicly available information.
    (r)(1) Personally identifiable financial information means any 
information:
    (i) A consumer provides to you to obtain a financial product or 
service from you;
    (ii) About a consumer resulting from any transaction involving a 
financial product or service between you and a consumer; or
    (iii) You otherwise obtain about a consumer in connection with 
providing a financial product or service to that consumer.
    (2) Personally identifiable financial information does not include 
publicly available information.
    (3) Examples. (i) Information included. Personally identifiable 
financial information includes:
    (A) Information a consumer provides to you on an application to 
obtain membership, a loan, credit card or other financial product or 
service;
    (B) Account balance information, payment history, overdraft 
history, and credit or debit card purchase information;
    (C) The fact that an individual is or has been one of your members 
or has obtained a financial product or service from you;
    (D) Any information about your consumer if it is disclosed in a 
manner that indicates that the individual is or has been your consumer;
    (E) Any information that a consumer provides to you or that you or 
your agent otherwise obtain in connection with collecting on a loan or 
servicing a loan;
    (F) Any information you collect through an Internet ``cookie'' (an 
information collecting device from a web server); and
    (G) Information from a consumer report.
    (ii) Information not included. Personally identifiable financial 
information does not include:
    (A) A list of names and addresses of customers of an entity that is 
not a financial institution; and
    (B) Information that does not identify a consumer, such as 
aggregate information or blind data that does not contain personal 
identifiers such as account numbers, names, or addresses.
    (s)(1) Publicly available information means any information that 
you have a reasonable basis to believe is lawfully made available to 
the general public from:
    (i) Federal, state or local government records;
    (ii) Widely distributed media; or
    (iii) Disclosures to the general public that are required to be 
made by federal, state or local law.
    (2) Reasonable basis. You have a reasonable basis to believe that 
information is lawfully made available to the general public if you 
have taken steps to determine:
    (i) That the information is of the type that is available to the 
general public; and
    (ii) Whether an individual can direct that the information not be 
made available to the general public and, if so, that your member or 
consumer has not done so.
    (3) Examples. (i) Government records. Publicly available 
information in government records includes information in government 
real estate records and security interest filings.
    (ii) Widely distributed media. Publicly available information from 
widely distributed media includes information from a telephone book, a 
television or radio program, a newspaper or a web site that is 
available to the general public on an unrestricted basis. A web site is 
not restricted merely because an Internet service provider or site 
operator requires a fee or a password, so long as access is available 
to the general public.
    (iii) Reasonable basis. (1) You have a reasonable basis to believe 
that mortgage information is lawfully made available to the general 
public if you have determined that the information is of the type 
included on the public record in the jurisdiction where the mortgage 
would be recorded.
    (2) You have a reasonable basis to believe that an individual's 
telephone number is lawfully made available to the general public if 
you have located the telephone number in the telephone book or have 
been informed by the consumer that the telephone number is not 
unlisted.
    (t) You means a federally-insured credit union.

Subpart A--Privacy and Opt Out Notices


Sec. 716.4  Initial privacy notice to consumers required.

    (a) Initial notice requirement. You must provide a clear and 
conspicuous notice that accurately reflects your privacy policies and 
practices to a:
    (1) Member, not later than when you establish a member 
relationship, except as provided in paragraph (e) of this section; and
    (2) Consumer, before you disclose any nonpublic personal 
information about the consumer to any nonaffiliated third party, if you 
make such a disclosure other than as authorized by Sec. Sec. 716.14 and 
716.15.

[[Page 31743]]

    (b) When initial notice to a consumer is not required. You are not 
required to provide an initial notice to a consumer under paragraph (a) 
of this section if:
    (1) You do not disclose any nonpublic personal information about 
the consumer to any nonaffiliated third party, other than as authorized 
by Sec. Sec. 716.14 and 716.15; and
    (2) You do not have a member relationship with the consumer.
    (c) When you establish a member relationship. (1) General rule. You 
establish a member relationship when you and the consumer enter into a 
continuing relationship.
    (2) Special rule for loans. You establish a member relationship 
with a consumer when you originate, or acquire the servicing rights to 
a loan to the consumer for personal, household or family purposes and 
that is the only basis for the member relationship. If you subsequently 
transfer the servicing rights to that loan to another financial 
institution, the member relationship transfers with the servicing 
rights.
    (3)(i) Examples of establishing member relationship. You establish 
a member relationship when the consumer:
    (A) Becomes your member under your bylaws;
    (B) Is a nonmember and opens a credit card account with you jointly 
with a member under your procedures;
    (C) Is a nonmember and executes the contract to open a share or 
share draft account with you or obtains credit from you jointly with a 
member, including an individual acting as a guarantor;
    (D) Is a nonmember and opens an account with you and you are a 
credit union designated as a low-income credit union;
    (E) Is a nonmember and opens an account with you pursuant to state 
law and you are a state-chartered credit union.
    (ii) Examples of loan rule. You establish a member relationship 
with a consumer who obtains a loan for personal, family, or household 
purposes when you:
    (A) Originate the loan to the consumer and retain the servicing 
rights; or
    (B) Purchase the servicing rights to the consumer's loan.
    (d) Existing members. When an existing member obtains a new 
financial product or service that is to be used primarily for personal, 
family, or household purposes, you satisfy the initial notice 
requirements of paragraph (a) of this section as follows:
    (1) You may provide a revised policy notice, under Sec. 716.8, that 
covers the member's new financial product or service; or
    (2) If the initial, revised, or annual notice that you most 
recently provided to that member was accurate with respect to the new 
financial product or service, you do not need to provide a new privacy 
notice under paragraph (a) of this section.
    (e) Exceptions to allow subsequent delivery of notice. (1) You may 
provide the initial notice required by paragraph (a)(1) of this section 
within a reasonable time after you establish a member relationship if:
    (i) Establishing the member relationship is not at the member's 
election;
    (ii) Providing notice not later than when you establish a member 
relationship would substantially delay the member's transaction and the 
member agrees to receive the notice at a later time.
    (2) Examples of exceptions. (i) Not at member's election. 
Establishing a member relationship is not at the member's election if 
you acquire a member's deposit liability from another financial 
institution and the member does not have a choice about your 
acquisition.
    (ii) Substantial delay of member's transaction. Providing notice 
not later than when you establish a member relationship would 
substantially delay the member's transaction when:
    (A) You and the individual agree over the telephone to enter into a 
member relationship involving prompt delivery of the financial product 
or service; or
    (B) You establish a member relationship with an individual under a 
program authorized by Title IV of the Higher Education Act of 1965 (20 
U.S.C. 1070 et seq.) or similar student loan programs where loan 
proceeds are disbursed promptly without prior communication between you 
and the member.
    (iii) No substantial delay of member's transaction. Providing 
notice not later than when you establish a member relationship would 
not substantially delay the member's transaction when the relationship 
is initiated in person at your office or through other means by which 
the member may view the notice, such as on a web site.
    (f) Joint relationships. If two or more consumers jointly obtain a 
financial product or service, other than a loan, from you, you may 
satisfy the requirements of paragraph
    (a) of this section by providing one initial notice to those 
consumers jointly.
    (g) Delivery. When you are required to deliver an initial privacy 
notice by this section, you must deliver it according to the methods in 
Sec. 716.9. If you use a short-form initial notice for nonmember 
consumers according to Sec. 716.6(c), you may deliver your privacy 
notice according to Sec. 716.6(c)(3).


Sec. 716.5  Annual privacy notice to members required.

    (a)(1) General rule. You must provide a clear and conspicuous 
notice to members that accurately reflects your privacy policies and 
practices not less than annually during the continuation of the member 
relationship. Annually means at least once in any period of 12 
consecutive months during which that relationship exists. You may 
define the 12-consecutive-month period, but you must apply it to the 
member on a consistent basis.
    (2) Example. You provide a notice annually if you define the 12-
consecutive-month period as a calendar year and provide the annual 
notice to the member once in each calendar year following the calendar 
year in which you provide the initial notice. For example, if a member 
opens an account on any day of year one, you must provide an annual 
notice to that member by December 31 of year two.
    (b) (1) Termination of member relationship. You are not required to 
provide an annual notice to a former member.
    (2) Examples. Your member becomes your former member when:
    (i) An individual is no longer your member as defined in your 
bylaws;
    (ii) In the case of a nonmember's share or share draft account, the 
account is inactive under the credit union's policies;
    (iii) In the case of a nonmember's closed-end loan, the loan is 
paid in full, you charge off the loan, or you sell the loan without 
retaining servicing rights;
    (iv) In the case of a credit card relationship or other open-end 
credit relationship with a nonmember, you no longer provide any 
statements or notices to the nonmember concerning that relationship or 
you sell the credit card receivables without retaining servicing 
rights; or
    (v) You have not communicated with the nonmember about the 
relationship for a period of twelve consecutive months, other than to 
provide annual privacy notices or promotional material.
    (c) Delivery. When you are required to deliver an annual privacy 
notice by this section, you must deliver it according to the methods in 
Sec. 716.9.


Sec. 716.6  Information to be included in initial and annual privacy 
notices.

    (a) General rule. The initial and annual privacy notices under 
Secs. 716.4 and 716.5 must include each of the following items of 
information that

[[Page 31744]]

applies to you or to the consumers to whom you send your privacy 
notice, in addition to any other information you wish to provide:
    (1) The categories of nonpublic personal information that you 
collect;
    (2) The categories of nonpublic personal information that you 
disclose;
    (3) The categories of affiliates and nonaffiliated third parties to 
whom you disclose nonpublic personal information, other than those 
parties to whom you disclose information under Secs. 716.14 and 716.15;
    (4) The categories of nonpublic personal information about your 
former members that you disclose and the categories of affiliates and 
nonaffiliated third parties to whom you disclose it, other than those 
parties to whom you disclose information under Secs. 716.14 and 716.15;
    (5) If you disclose nonpublic personal information to a 
nonaffiliated third party under Sec. 716.13 (and no other exception 
applies to that disclosure), a separate statement of the categories of 
information you disclose and the categories of third parties with whom 
you have contracted;
    (6) An explanation of the consumer's right under Sec. 716.10(a) to 
opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the methods by which the 
consumer may exercise that right at that time;
    (7) Any disclosures that you make under section 603(d)(2)(A)(iii) 
of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that 
is, notices regarding the ability to opt out of disclosure of 
information among affiliates);
    (8) Your policies and practices with respect to protecting the 
confidentiality and security of nonpublic personal information; and
    (9) Any disclosures you make under paragraph (b) of this section.
    (b) Description of nonaffiliated third parties subject to 
exceptions. If you disclose nonpublic personal information to third 
parties as authorized under Sec. Sec. 716.14 and 716.15, you are not 
required to list those exceptions in the initial or annual privacy 
notices required by Sec. Sec. 716.4 and 716.5. When describing the 
categories with respect to those parties, you are required to state 
only that you make disclosures to other nonaffiliated third parties as 
permitted by law.
    (c) Short-form initial notice with opt out notice for nonmember 
consumers. (1) You may satisfy the initial notice requirements in 
Secs. 716.4(a)(2), 716.7(b), and 716.7(c) for a consumer who is not a 
member by providing a short-form initial notice at the same time as you 
deliver an opt out notice as required in Sec. 716.7.
    (2) A short-form initial notice must:
    (i) Be clear and conspicuous;
    (ii) State that your privacy notice is available upon request; and
    (iii) Explain a reasonable means by which the consumer may obtain 
that notice.
    (3) You must deliver your short-form initial notice according to 
Sec. 716.9. You are not required to deliver your privacy notice with 
your short form initial notice. You instead may simply provide the 
consumer a reasonable means to obtain your privacy notice. If a 
consumer who receives your short-form notice requests your privacy 
notice, you must deliver your privacy notice according to Sec. 716.9.
    (4) Examples of obtaining privacy notice. You provide a reasonable 
means by which a consumer may obtain a copy of your privacy notice if 
you:
    (i) Provide a toll-free telephone number that the consumer may call 
to request the notice; or
    (ii) For a consumer who conducts business in person at your office, 
maintain copies of the notice on hand that you provide to a consumer 
immediately upon request.
    (d) Future disclosures. Your notice may include:
    (1) Categories of nonpublic personal information that you reserve 
the right to disclose in the future, but do not currently disclose; and
    (2) Categories of affiliates or nonaffiliated third parties to whom 
you reserve the right in the future to disclose, but to whom you do not 
currently disclose, nonpublic personal information.
    (e) Examples. (1) Categories of nonpublic personal information that 
you collect.
    You satisfy the requirement to categorize the nonpublic personal 
information that you collect if you list the following categories, as 
applicable:
    (i) Information from the consumer;
    (ii) Information about the consumer's transactions with you or your 
affiliates;
    (iii) Information about the consumer's transactions with 
nonaffiliated third parties; and
    (iv) Information from a consumer reporting agency.
    (2) Categories of nonpublic personal information you disclose. (i) 
You satisfy the requirement to categorize the nonpublic personal 
information that you disclose if you list the categories described in 
paragraph (e)(1) of this section, as applicable, and a few examples to 
illustrate the types of information in each category.
    (ii) If you reserve the right to disclose all of the nonpublic 
personal information about consumers that you collect, you may simply 
state that fact without describing the categories or examples of the 
nonpublic personal information you disclose.
    (3) Categories of affiliates and nonaffiliated third parties to 
whom you disclose. You satisfy the requirement to categorize the 
affiliates and nonaffiliated third parties to whom you disclose 
nonpublic personal information if you list the following categories, as 
applicable, and a few examples to illustrate the types of third parties 
in each category.
    (i) Financial service providers;
    (ii) Non-financial companies; and
    (iii) Others.
    (4) Disclosures under exception for service providers and joint 
marketers. If you disclose nonpublic personal information under the 
exception in Sec. 716.13 to a nonaffiliated third party to market 
products or services that you offer alone or jointly with another 
financial institution, you satisfy the disclosure requirement of 
paragraph (a)(5) of this section if you:
    (i) List the categories of nonpublic personal information you 
disclose, using the same categories and examples you used to meet the 
requirements of paragraphs (a)(2) of this section, as applicable; and
    (ii) State whether the third party is:
    (A) A service provider that performs marketing services on your 
behalf or on behalf of you and another financial institution; or
    (B) A financial institution with whom you have a joint marketing 
agreement.
    (5) Simplified notices. If you do not disclose, and do not intend 
to disclose, nonpublic personal information about members or former 
members to affiliates or nonaffiliated third parties except as 
authorized under Secs. 716.14 and 716.15, you may simply state that 
fact, in addition to the information you must provide under paragraphs 
(a)(1), (a)(8), (a)(9) and (c) of this section.
    (6) Confidentiality and security. You describe your policies and 
practices with respect to protecting the confidentiality and security 
of nonpublic personal information if you do both of the following:
    (i) Describe in general terms who is authorized to have access to 
the information.
    (ii) State whether you have security practices and procedures in 
place to ensure the confidentiality of the information in accordance 
with your policy. You are not required to describe technical 
information about the safeguards you use.

[[Page 31745]]

    (7) Joint notice with affiliates. You may provide a joint notice 
from you and one or more of your affiliates or other financial 
institutions, as specified in the notice, as long as the notice is 
accurate with respect to you and the other institution.


Sec. 716.7  Form of opt out notice to consumers and opt out methods.

    (a)(1) Form of opt out notice. If you are required to provide an 
opt out notice under Sec. 716.10(a)(1), you must provide a clear and 
conspicuous notice to each of your consumers that accurately explains 
the right to opt out under that section. The notice must state:
    (i) That you disclose or reserve the right to disclose nonpublic 
personal information about your consumer to a nonaffiliated third 
party;
    (ii) That the consumer has the right to opt out of that disclosure; 
and
    (iii) A reasonable means by which the consumer may exercise the opt 
out right.
    (2) Examples. (i) Adequate opt out notice. You provide adequate 
notice that the consumer can opt out of the disclosure of nonpublic 
personal information to a nonaffiliated third party if you:
    (A) Identify all of the categories of nonpublic personal 
information that you disclose or reserve the right to disclose and all 
of the categories of nonaffiliated third parties to whom you disclose 
the information, as described in Sec. 716.6(a)(2) and (3) and state 
that the consumer can opt out of the disclosure of that information; 
and
    (B) Identify the financial products or services that the consumer 
obtains from you, either singly or jointly, to which the opt out 
direction would apply.
    (ii) Reasonable opt out means. You provide a reasonable means to 
exercise an opt out right if you:
    (A) Designate check-off boxes in a prominent position on the 
relevant forms with the opt out notice;
    (B) Include a reply form together with the opt out notice;
    (C) Provide an electronic means to opt out, such as a form that can 
be sent via electronic mail or a process at your web site, if the 
consumer agrees to the electronic delivery of information; or
    (D) Provide a toll-free telephone number that consumers may call to 
opt out.
    (iii) Unreasonable opt out means. You do not provide a reasonable 
means of opting out if:
    (A) The only means of opting out is for the consumer to write his 
or her own letter to exercise that opt out right; or
    (B) The only means of opting out as described in any notice 
subsequent to the initial notice is to use a check-off box that was 
provided with the initial notice but not included with the subsequent 
notice.
    (iv) Specific opt out means. You may require each consumer to opt 
out through a specific means, as long as that means is reasonable for 
that consumer.
    (b) Same form as initial notice permitted. You may provide the opt 
out notice together with or on the same written or electronic form as 
the initial notice you provide in accordance with Sec. 716.4.
    (c) Initial notice required when opt out notice delivered 
subsequent to initial notice. If you provide the opt out notice later 
than required for the initial notice in accordance with Sec. 716.4, you 
must also include a copy of the initial notice in writing or, if the 
consumer agrees, electronically.
    (d) Joint relationships. (1) If two or more consumers jointly 
obtain a financial product or service, other than a loan, from you, you 
may provide only a single opt out notice. Your opt out notice must 
explain how you will treat an opt out direction by a joint consumer as 
explained in the examples in paragraph (d)(5) of this section.
    (2) Any of the joint consumers may exercise the right to opt out. 
You may either:
    (i) Treat an opt out direction by a joint consumer to apply to all 
of the associated joint consumers; or
    (ii) Permit each joint consumer to opt out separately.
    (3) If you permit each joint consumer to opt out separately, you 
must permit one of the joint consumers to opt out on behalf of all of 
the joint consumers.
    (4) You may not require all joint consumers to opt out before you 
implement any opt out direction.
    (5) Example. If John and Mary have a joint share account with you 
and arrange for you to send statements to John's address, you may do 
any of the following, but you must explain in your opt out notice which 
opt out policy you will follow:
    (i) Send a single opt out notice to John's address, but you must 
accept an opt out direction from either John or Mary.
    (ii) Treat an opt out direction by either John or Mary as applying 
to the entire account. If you do so, and John opts out, you may not 
require Mary to opt out as well before implementing John's opt out 
direction.
    (iii) Permit John and Mary to make different opt out directions. If 
you do so, and if John and Mary both opt out, you must permit one or 
both of them to notify you in a single response (such as on a form or 
through a telephone call).
    (e) Time to comply with opt out. You must comply with the 
consumer's opt out direction as soon as reasonably practicable after 
you receive it.
    (f) Continuing right to opt out. A consumer may exercise the right 
to opt out at any time.
    (g) Duration of consumer's opt out direction. (1) A consumer's 
direction to opt out under this section is effective until the consumer 
revokes it in writing or, if the consumer agrees, electronically.
    (2) When a member relationship terminates, the member's opt out 
direction continues to apply to the nonpublic personal information that 
you collected during or related to the relationship. If the individual 
subsequently establishes a new member relationship with you, the opt 
out direction that applied to the former relationship does not apply to 
the new relationship.
    (h) Delivery. When you are required to deliver an opt out notice by 
this section, you must deliver it according to the methods in 
Sec. 716.9.


Sec. 716.8  Revised privacy notices.

    (a) General rule. Except as otherwise authorized in this part, you 
must not, directly or through any affiliate, disclose any nonpublic 
personal information about a consumer to a nonaffiliated third party 
other than as described in the initial notice that you provided to that 
consumer under Sec. 716.4, unless:
    (1) You have provided to the consumer a revised notice that 
accurately describes your policies and practices;
    (2) You have provided to the consumer a new opt out notice;
    (3) You have given the consumer a reasonable opportunity, before 
you disclose the information to the nonaffiliated third party, to opt 
out of the disclosure; and
    (4) The consumer does not opt out.
    (b) Examples. (1) Except as otherwise permitted by 
Sec. Sec. 716.13, 716.14 and 716.15, you must provide a revised notice 
if you--
    (i) Disclose a new category of nonpublic personal information to 
any nonaffiliated third party;
    (ii) Disclose nonpublic personal information to a new category of 
nonaffiliated third party; or
    (iii) Disclose nonpublic personal information about a former member 
to a nonaffiliated third party, and that former member has not had the 
opportunity to exercise an opt out right regarding that disclosure.
    (2) A revised notice is not required if you disclose nonpublic 
personal information to a new nonaffiliated third

[[Page 31746]]

party that you adequately described in your prior notice.
    (c) Delivery. When you are required to deliver a revised privacy 
notice by this section, you must deliver it according to the methods in 
Sec. 716.9.


Sec. 716.9  Delivering privacy and opt out notices.

    (a) How to provide notices. You must provide any privacy notices 
and opt out notices, including short-form initial notices, that this 
part requires so that each consumer can reasonably be expected to 
receive actual notice in writing or, if the consumer agrees, 
electronically.
    (b) (1) Examples of reasonable expectation of actual notice. You 
may reasonably expect that a consumer will receive actual notice if 
you:
    (i) Hand-deliver a printed copy of the notice to the consumer;
    (ii) Mail a printed copy of the notice to the last known address of 
the consumer;
    (iii) For the consumer who conducts transactions electronically, 
post the notice on the electronic site and require the consumer to 
acknowledge receipt of the notice as a necessary step to obtaining a 
particular financial product or service;
    (iv) For an isolated transaction with the consumer, such as an ATM 
transaction, post the notice on the ATM screen and require the consumer 
to acknowledge receipt of the notice as a necessary step to obtaining 
the particular financial product or service.
    (2) Examples of unreasonable expectations of actual notice. You may 
not, however, reasonably expect that a consumer will receive actual 
notice if you:
    (i) Only post a sign in your branch or office or generally publish 
advertisements of your privacy policies and practices;
    (ii) Send the notice via electronic mail to a consumer who does not 
obtain a financial product or service from you electronically.
    (c) Annual notices only. You may reasonably expect that a member 
will receive actual notice of your annual privacy notice if:
    (1) The member uses your web site to access financial products and 
services electronically and agrees to receive notices at your web site 
and you post your current privacy notice continuously in a clear and 
conspicuous manner on your web site; or
    (2) The member has requested that you refrain from sending any 
information regarding the member relationship, and your current privacy 
notice remains available to the member upon request.
    (d) Oral description of notice insufficient. You may not provide 
any notice required by this part solely by orally explaining the 
notice, either in person or over the telephone.
    (e) Retention or accessibility of notices for members. (1) For 
members only, you must provide the initial notice required by 
Sec. 716.4 (a)(1), the annual notice required by Sec. 716.5(a) and the 
revised notice required by Sec. 716.8 so that the member can retain 
them or obtain them later in writing or, if the member agrees, 
electronically.
    (2) Examples of retention or accessibility. You provide the privacy 
notice to the member so that the member can retain it or obtain it 
later if you:
    (i) Hand-deliver a printed copy of the notice to the member;
    (ii) Mail a printed copy of the notice to the last known address of 
the member upon request of the member; or
    (iii) Make your current privacy notice available on a web site (or 
a link to another web site) for the member who obtains a financial 
product or service electronically and agrees to receive the notice at 
the web site.

Subpart B--Limits on Disclosures


Sec. 716.10  Limits on disclosure of nonpublic personal information to 
nonaffiliated third parties.

    (a) (1) Conditions for disclosure. Except as otherwise authorized 
in this part, you may not, directly or through any affiliate, disclose 
any nonpublic personal information about a consumer to a nonaffiliated 
third party unless:
    (i) You have provided to the consumer an initial notice as required 
under Sec. 716.4;
    (ii) You have provided to the consumer an opt out notice as 
required in Sec. 716.7;
    (iii) You have given the consumer a reasonable opportunity, before 
you disclose the information to the nonaffiliated third party, to opt 
out of the disclosure; and
    (iv) The consumer does not opt out.
    (2) Opt out definition. Opt out means a direction by the consumer 
that you not disclose nonpublic personal information about that 
consumer to a nonaffiliated third party, other than as permitted by 
Secs. 716.13, 716.14 and 716.15.
    (3) Examples of reasonable opportunity to opt out. You provide a 
consumer with a reasonable opportunity to opt out if:
    (i) By mail. You mail the notices required in paragraph (a)(1) of 
this section to the consumer and allow the consumer to opt out by 
mailing a form, calling a toll-free telephone number, or any other 
reasonable means within 30 days from the date you mailed the notices.
    (ii) By electronic means. A member opens an on-line account with 
you and agrees to receive the notices required in paragraph (a)(1) of 
this section electronically, and you make the notices available to the 
member on your web site and allow the member to opt out by any 
reasonable means within 30 days after the date that the member 
acknowledges receipt of the notices.
    (iii) Isolated transaction with consumer. For an isolated 
transaction, such as the purchase of a traveler's check by a consumer, 
you provide the consumer with a reasonable opportunity to opt out if 
you provide the notices required in paragraph (a)(1) of this section at 
the time of the transaction and request that the consumer decide, as a 
necessary part of the transaction, whether to opt out before completing 
the transaction.
    (b) Application of opt out to all consumers and all nonpublic 
personal information. (1) You must comply with this section, regardless 
of whether you and the consumer have established a member relationship.
    (2) Unless you comply with this section, you may not, directly or 
through an affiliate, disclose any nonpublic personal information about 
a consumer that you have collected, regardless of whether you collected 
it before or after receiving the direction to opt out from the 
consumer.
    (c) Partial opt out. You may allow a consumer to select certain 
nonpublic personal information or certain nonaffiliated third parties 
with respect to which the consumer wishes to opt out.


Sec. 716.11  Limits on redisclosure and reuse of information.

    (a)(1) Information you receive under an exception. If you receive 
nonpublic personal information from a nonaffiliated financial 
institution under an exception in Sec. 716.14 or 716.15 of this part, 
your disclosure and use of that information is limited as follows:
    (i) You may disclose the information to the affiliates of the 
financial institution from which you received the information; and
    (ii) You may disclose the information to your affiliates, but your 
affiliates may, in turn, disclose and use the information only to the 
extent that you may disclose and use the information; and
    (iii) You may disclose and use the information pursuant to an 
exception in Sec. 716.14 or 716.15 in the ordinary course of business 
to carry out the

[[Page 31747]]

activity covered by the exception under which you received the 
information.
    (2) Example. If you receive a member list from a credit union in 
order to provide correspondent services under the exception in 
Sec. 716.14(a), you may disclose that information under any exception 
in Sec. 716.14 or 716.15 in order to provide those services. For 
example, you could disclose the information in response to a properly 
authorized subpoena or to your attorneys, accountants, and auditors. 
You could not disclose that information to a third party for marketing 
purposes or use that information for your own marketing purposes.
    (b)(1) Information you receive outside of an exception. If you 
receive nonpublic personal information from a nonaffiliated financial 
institution other than under an exception in Sec. 716.14 or 716.15 of 
this part, you may disclose the information only:
    (i) To the affiliates of the financial institution from which you 
received the information;
    (ii) To your affiliates, but your affiliates may, in turn, disclose 
the information only to the extent that you can disclose the 
information;
    (iii) To any other person, if the disclosure would be lawful if 
made directly to that person by the financial institution from which 
you received the information; and
    (iv) Pursuant to an exception in Sec. 716.14 or 716.15.
    (2) Example. If you obtain a customer list from a nonaffiliated 
financial institution outside of the exceptions in Sec. Sec. 716.14 and 
716.15,
    (i) You may use the list for your own purposes;
    (ii) You may disclose that list to another non-affiliated third 
party only if the financial institution from which you purchased the 
list could have disclosed the list to that third party, that is you may 
disclose the list in accordance with the privacy policy of the 
financial institution from which you received the list, as limited by 
the opt out direction of each consumer whose nonpublic personal 
information you intend to disclose; and
    (iii) You may disclose that list as permitted by Sec. 716.14 or 
716.15, such as to your attorneys or accountants.
    (c) Information you disclose under an exception. If you disclose 
nonpublic personal information to a nonaffiliated third party under an 
exception in Sec. 716.14 or 716.15 of this part, the disclosure and use 
of that information by the third party is limited as follows:
    (1) The third party may disclose the information to your 
affiliates;
    (2) The third party may disclose the information to its affiliates, 
but its affiliates may, in turn, disclose and use the information only 
to the extent that the third party may disclose and use the 
information; and
    (3) The third party may disclose and use the information pursuant 
to an exception in Sec. 716.14 or 716.15 in the ordinary course of 
business to carry out the activity covered by the exception under which 
it received the information.
    (d) Information you disclose outside of an exception. If you 
disclose nonpublic personal information to a nonaffiliated third party 
other than under an exception in Sec. 716.14 or 716.15 of this part, 
the third party may disclose the information only:
    (1) To your affiliates;
    (2) To its affiliates, but its affiliates, in turn, may disclose 
the information only to the extent the third party can disclose the 
information;
    (3) To any other person, if the disclosure would be lawful if made 
directly to that person by you; and
    (4) Pursuant to an exception in Sec. 716.14 or 716.15.


Sec. 716.12  Limits on sharing of account number information for 
marketing purposes.

    (a) General prohibition on disclosure of account numbers. You must 
not, directly or through an affiliate, disclose, other than to a 
consumer reporting agency, an account number or similar form of access 
number or access code for a consumer's credit card account, share 
account or transaction account to any nonaffiliated third party for use 
in telemarketing, direct mail marketing or other marketing through 
electronic mail to the consumer.
    (b) Exceptions. Paragraph (a) of this section does not apply if you 
disclose an account number or similar form of access number or access 
code:
    (1) To your agent or service provider solely in order to perform 
marketing for your own products or services, as long as the agent or 
service provider cannot directly initiate charges to the account; or
    (2) To a participant in a private label credit card program or an 
affinity or similar program where the participants in the program are 
identified to the member when the member enters into the program.
    (c) Examples. (1) Account number. An account number, or similar 
form of access number or access code, does not include a number or code 
in an encrypted form, as long as you do not provide the recipient with 
a means to decode the number or code.
    (2) Transaction account. A transaction account is an account other 
than a share or credit card account. A transaction account does not 
include an account to which a third party cannot initiate a charge.

Subpart C--Exceptions


Sec. 716.13  Exception to opt out requirements for service providers 
and joint marketing.

    (a) General rule. (1) The opt out requirements in Sec. Sec. 716.7 
and 716.10 do not apply when you provide nonpublic personal information 
to a nonaffiliated third party to perform services for you or functions 
on your behalf, if you:
    (i) Provide the initial notice in accordance with Sec. 716.4; and
    (ii) Enter into a contractual agreement with the third party that 
prohibits the third party from disclosing or using the information 
other than to carry out the purposes for which you disclosed the 
information, including use under an exception in Sec. 716.14 or 716.15 
in the ordinary course of business to carry out those purposes.
    (2) Example. If you disclose nonpublic personal information under 
this section to a financial institution with which you perform joint 
marketing, your contractual agreement with that institution meets the 
requirements of paragraph (a)(1)(ii) of this section if it prohibits 
the institution from disclosing or using the nonpublic personal 
information except as necessary to carry out the joint marketing or 
under an exception in Sec. 716.14 or 716.15 in the ordinary course of 
business to carry out that joint marketing.
    (b) Service may include joint marketing. The services that a 
nonaffiliated third party performs for you under paragraph (a) of this 
section may include marketing of your own products or services or 
marketing of financial products or services offered pursuant to joint 
agreements between you and one or more financial institutions.
    (c) Definition of joint agreement. For purposes of this section, 
joint agreement means a written contract pursuant to which you and one 
or more financial institutions jointly offer, endorse, or sponsor a 
financial product or service.


Sec. 716.14  Exceptions to notice and opt out requirements for 
processing and servicing transactions.

    (a) Exceptions for processing transactions at consumer's request. 
The requirements for initial notice in Sec. 716.4(a)(2), the opt out in 
Sec. Sec. 716.7 and 716.10 and service providers and joint marketing in 
Sec. 716.13 do not apply if

[[Page 31748]]

you disclose nonpublic personal information as necessary to effect, 
administer, or enforce a transaction that a consumer requests or 
authorizes, or in connection with:
    (1) Servicing or processing a financial product or service that a 
consumer requests or authorizes;
    (2) Maintaining or servicing the consumer's account with you, or 
with another entity as part of a private label credit card program or 
other extension of credit on behalf of such entity; or
    (3) A proposed or actual securitization, secondary market sale 
(including sales of servicing rights) or similar transaction related to 
a transaction of the consumer.
    (b) Necessary to effect, administer, or enforce a transaction means 
that the disclosure is:
    (1) Required, or is one of the lawful or appropriate methods, to 
enforce your rights or the rights of other persons engaged in carrying 
out the financial transaction or providing the product or service; or
    (2) Required, or is a usual, appropriate or acceptable method:
    (i) To carry out the transaction or the product or service business 
of which the transaction is a part, and record, service or maintain the 
consumer's account in the ordinary course of providing the financial 
service or financial product;
    (ii) To administer or service benefits or claims relating to the 
transaction or the product or service business of which it is a part;
    (iii) To provide a confirmation, statement or other record of the 
transaction, or information on the status or value of the financial 
service or financial product to the consumer or the consumer's agent or 
broker;
    (iv) To accrue or recognize incentives or bonuses associated with 
the transaction that are provided by you or any other party;
    (v) In connection with:
    (A) The authorization, settlement, billing, processing, clearing, 
transferring, reconciling or collection of amounts charged, debited, or 
otherwise paid using a debit, credit or other payment card, check or 
account number, or by other payment means;
    (B) The transfer of receivables, accounts or interests therein; or
    (C) The audit of debit, credit or other payment information.


Sec. 716.15  Other exceptions to notice and opt out requirements.

    (a) Exceptions to opt out requirements. The requirements for 
initial notice to consumers in Sec. 716.4(a)(2), the opt out in 
Sec. Sec. 716.7 and 716.10 and service providers and joint marketing in 
Sec. 716.13 do not apply when you disclose nonpublic personal 
information:
    (1) With the consent or at the direction of the consumer, provided 
that the consumer has not revoked the consent or direction;
    (2)(i) To protect the confidentiality or security of your records 
pertaining to the consumer, service, product or transaction;
    (ii) To protect against or prevent actual or potential fraud, 
unauthorized transactions, claims or other liability;
    (iii) For required institutional risk control or for resolving 
consumer disputes or inquiries;
    (iv) To persons holding a legal or beneficial interest relating to 
the consumer; or
    (v) To persons acting in a fiduciary or representative capacity on 
behalf of the consumer;
    (3) To provide information to insurance rate advisory 
organizations, guaranty funds or agencies, agencies that are rating 
you, persons that are assessing your compliance with industry 
standards, and your attorneys, accountants, and auditors;
    (4) To the extent specifically permitted or required under other 
provisions of law and in accordance with the Right to Financial Privacy 
Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies 
(including a federal functional regulator, the Secretary of the 
Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records 
and Reports on Monetary Instruments and Transactions) and 12 U.S.C. 
Chapter 21 (Financial Recordkeeping), a state insurance authority, with 
respect to any person domiciled in that insurance authority's state 
that is engaged in providing insurance, and the Federal Trade 
Commission), self-regulatory organizations, or for an investigation on 
a matter related to public safety;
    (5)(i) To a consumer reporting agency in accordance with the Fair 
Credit Reporting Act (15 U.S.C. 1681 et seq.), or
    (ii) From a consumer report reported by a consumer reporting 
agency;
    (6) In connection with a proposed or actual sale, merger, transfer, 
or exchange of all or a portion of a business or operating unit if the 
disclosure of nonpublic personal information concerns solely consumers 
of such business or unit; or
    (7)(i) To comply with federal, state or local laws, rules and other 
applicable legal requirements;
    (ii) To comply with a properly authorized civil, criminal or 
regulatory investigation, or subpoena or summons by federal, state or 
local authorities; or
    (iii) To respond to judicial process or government regulatory 
authorities having jurisdiction over you for examination, compliance or 
other purposes as authorized by law.
    (b) Examples of consent and revocation of consent. (1) A consumer 
may specifically consent to your disclosure to a nonaffiliated 
insurance company of the fact that the consumer has applied to you for 
a mortgage so that the insurance company can offer homeowner's 
insurance to the consumer.
    (2) A consumer may revoke consent by subsequently exercising the 
right to opt out of future disclosures of nonpublic personal 
information as permitted under Sec. 716.7(f).

SUBPART D--RELATION TO OTHER LAWS; EFFECTIVE DATE


Sec. 716.16  Protection of Fair Credit Reporting Act.

    Nothing in this part shall be construed to modify, limit, or 
supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 
1681 et seq.), and no inference shall be drawn on the basis of the 
provisions of this part regarding whether information is transaction or 
experience information under section 603 of that Act.


Sec. 716.17  Relation to state laws.

    (a) In general. This part shall not be construed as superseding, 
altering, or affecting any statute, regulation, order or interpretation 
in effect in any state, except to the extent that such state statute, 
regulation, order or interpretation is inconsistent with the provisions 
of this part, and then only to the extent of the inconsistency.
    (b) Greater protection under state law. For purposes of this 
section, a state statute, regulation, order or interpretation is not 
inconsistent with the provisions of this part if the protection such 
statute, regulation, order or interpretation affords any consumer is 
greater than the protection provided under this part, as determined by 
the Federal Trade Commission, after consultation with the National 
Credit Union Administration, on the Federal Trade Commission's own 
motion or upon the petition of any interested party.


Sec. 718.18  Effective date; transition rule.

    (a) Effective date. This part is effective November 13, 2000. In 
order to provide sufficient time for you to establish policies and 
systems to comply with the requirements of this part, the National 
Credit Union Administration Board has

[[Page 31749]]

extended the time for compliance with this part until July 1, 2001.
    (b)(1) Notice requirement for consumers who were your members on 
the compliance date. By July 1, 2001, you must provide an initial 
notice, as required by Sec. 716.4, to consumers who are your members on 
July 1, 2001.
    (2) Example. You provide an initial notice to consumers who are 
your members on July 1, 2001, if, by that date, you have established a 
system for providing an initial notice to all new members and have 
mailed the initial notice to all your existing members.
    (c) Two-year grandfathering of service agreements. Until July 1, 
2002, a contract that you have entered into with a nonaffiliated third 
party to perform services for you or functions on your behalf satisfies 
the provisions of Sec. 716.13(a)(2) of this part, even if the contract 
does not include a requirement that the third party maintain the 
confidentiality of nonpublic personal information, as long as the 
agreement was entered into on or before July 1, 2000.

APPENDIX A TO PART 716--SAMPLE CLAUSES

    Credit unions, including a group of affiliates that use a common 
privacy notice, may use the following sample clauses, if the clause is 
accurate for each institution that uses the notice.

A-1--Categories of information you collect (all credit unions)

    You may use this clause, as applicable, to meet the requirement of 
Sec. 716.6(a)(1) to describe the categories of nonpublic personal 
information you collect.

Sample Clause A-1:

    We collect nonpublic personal information about you from the 
following sources:
     Information we receive from you on applications or other 
forms;
     Information about your transactions with us, our 
affiliates, or others; and
     Information we receive from a consumer reporting agency.

A-2--Categories of information you disclose (credit unions that 
disclose outside of the exceptions)

    You may use one of these clauses, as applicable, to meet the 
requirement of Sec. 716.6(a)(2) to describe the categories of nonpublic 
personal information you disclose. These clauses may be used if you 
disclose nonpublic personal information other than as permitted by the 
exceptions in Sec. Sec. 716.13, 716.14, and 716.15.

Sample Clause A-2, Alternative 1:

    We may disclose the following kinds of nonpublic personal 
information about you:
     Information we receive from you on applications or other 
forms, such as [provide illustrative examples, such as ``your name, 
address, social security number, assets, and income''];
     Information about your transactions with us, our 
affiliates, or others, such as [provide illustrative examples, such as 
``your account balance, payment history, parties to transactions, and 
credit card usage'']; and
     Information we receive from a consumer reporting agency, 
such as [provide illustrative examples, such as ``your creditworthiness 
and credit history''].

Sample Clause A-2, Alternative 2:

    We may disclose all of the information that we collect, as 
described [describe location in the notice, such as ``above'' or 
``below''].

A-3--Categories of information you disclose and parties to whom you 
disclose (credit unions that do not disclose outside of the exceptions)

    You may use this clause, as applicable, to meet the requirements of 
Sec. 716.6(a)(2), (3) and (4) to describe the categories of nonpublic 
personal information about members and former members that you disclose 
and the categories of affiliates and nonaffiliated third parties to 
whom you disclose. This clause may be used if you do not disclose 
nonpublic personal information to any party, other than as permitted by 
the exceptions in Sec. Sec. 716.14, and 716.15.

Sample Clause A-3:

    We do not disclose any nonpublic personal information about our 
members and former members to anyone, except as permitted by law.

A-4--Categories of parties to whom you disclose (credit unions that 
disclose outside of the exceptions)

    You may use this clause, as applicable, to meet the requirement of 
Sec. 716.6(a)(3) to describe the categories of affiliates and 
nonaffiliated third parties to whom you disclose nonpublic personal 
information. This clause may be used if you disclose nonpublic personal 
information other than as permitted by the exceptions in 
Sec. Sec. 716.13, 716.14, and 716.15, as well as when permitted by the 
exceptions in Sec. Sec. 716.14, and 716.15.

Sample Clause A-4:

    We may disclose nonpublic personal information about you to the 
following types of third parties:
     Financial service providers, such as [provide illustrative 
examples, such as ``mortgage bankers, securities broker-dealers, and 
insurance agents''];
     Non-financial companies, such as [provide illustrative 
examples, such as ``retailers, direct marketers, airlines, and 
publishers'']; and
     Others, such as [provide illustrative examples, such as 
``non-profit organizations''].
    We may also disclose nonpublic personal information about you to 
nonaffiliated third parties as permitted by law.

A-5--Service provider/joint marketing exception

    You may use one of these clauses, as applicable, to meet the 
requirements of Sec. 716.6(a)(5) related to the exception for service 
providers and joint marketers in Sec. 716.13. If you disclose nonpublic 
personal information under this exception, you must describe the 
categories of nonpublic personal information you disclose and the 
categories of third parties with whom you have contracted.

Sample Clause A-5, Alternative 1:

    We may disclose the following information to companies that perform 
marketing services on our behalf or to other financial institutions 
with whom we have joint marketing agreements:
     Information we receive from you on applications or other 
forms, such as [provide illustrative examples, such as ``your name, 
address, social security number, assets, and income''];
     Information about your transactions with us, our 
affiliates, or others, such as [provide illustrative examples, such as 
``your account balance, payment history, parties to transactions, and 
credit card usage'']; and
     Information we receive from a consumer reporting agency, 
such as [provide illustrative examples, such as ``your creditworthiness 
and credit history''].

Sample Clause A-5, Alternative 2:

    We may disclose all of the information we collect, as described 
[describe location in the notice, such as ``above'' or ``below''] to 
companies that perform marketing services on our behalf or to other 
financial institutions with whom we have joint marketing agreements.

[[Page 31750]]

A-6--Explanation of opt out right (credit unions that disclose outside 
of the exceptions)

    You may use this clause, as applicable, to meet the requirement of 
Sec. 716.6(a)(6) to provide an explanation of the consumer's right to 
opt out of the disclosure of nonpublic personal information to 
nonaffiliated third parties, including the method(s) by which the 
consumer may exercise that right. This clause may be used if you 
disclose nonpublic personal information other than as permitted by the 
exceptions in Secs. 716.13, 716.14, and 716.15.

Sample Clause A-6:

    If you prefer that we not disclose nonpublic personal information 
about you to nonaffiliated third parties, you may opt out of those 
disclosures, that is, you may direct us not to make those disclosures 
(other than disclosures permitted by law). If you wish to opt out of 
disclosures to nonaffiliated third parties, you may [describe a 
reasonable means of opting out, such as ``call the following toll-free 
number: (insert number)].

A-7--Confidentiality and security (all credit unions)

    You may use this clause, as applicable, to meet the requirement of 
Sec. 716.6(a)(8) to describe your policies and practices with respect 
to protecting the confidentiality and security of nonpublic personal 
information.

Sample Clause A-7:

    We restrict access to nonpublic personal information about you to 
[provide an appropriate description, such as ``those employees who need 
to know that information to provide products or services to you'']. We 
maintain physical, electronic, and procedural safeguards that comply 
with federal regulations to guard your nonpublic personal information.

PART 741--REQUIREMENTS FOR INSURANCE

    1. The authority citation for part 741 continues to read as 
follows:

    Authority: 12 U.S.C. 1757, 1766, and 1781-1790. Section 741.4 is 
also authorized by 31 U.S.C. 3717.

    2. Add Sec. 741.220 to part 741 to read as follows:


Sec. 741.220  Privacy of consumer financial information.

    Any credit union which is insured pursuant to Title II of the Act 
must adhere to the requirements stated in part 716 of this chapter.

[FR Doc. 00-12014 Filed 5-17-00; 8:45 am]
BILLING CODE 7535-01-U