| VIA E-MAIL - GLBRule@ftc.gov March 31, 2000 Secretary Federal Trade Commission, Room H-159 600 Pennsylvania Avenue, N.W. Washington, DC 20580 RE: Gramm-Leach-Bliley Act Privacy Rule, 16 CFR Part 313 – Comment Dear Sir or Madam: The Credit Union National Association (CUNA) appreciates the opportunity to comment on the Federal Trade Commission’s (FTC’s) proposed privacy rule. CUNA represents more than 90 percent of our nation’s 11,000 state and federal credit unions. The FTC privacy rule will apply to approximately 400 credit unions that are not federally insured. CUNA is also interested in the FTC privacy rule because it will cover credit union service organizations (CUSOs) to the extent that such CUSOs are not covered under another agency’s privacy rule, such as those issued by the Securities and Exchange Commission. CUSOs are limited partnerships, corporations, or limited liability companies where a credit union has made an investment and/or loan. CUSOs provide services that primarily serve credit unions or members of affiliated credit unions. In Section G of the Supplementary Information, the FTC invites comments on the comprehensibility of the rule, including input on how the rule can be changed so that it is easier to understand. Our suggestion in response to Section G is to request that the FTC allow non-federally insured credit unions to follow the privacy rule that will be issued by the National Credit Union Administration (NCUA), while preserving the FTC’s enforcement authority over these credit unions. Although 16 CFR 313 will be substantially similar to the privacy rules of the other federal regulators, NCUA’s rule will provide a focus on credit unions, including examples tailored to their operations. The 400 non-federally insured credit unions are subject to the same supervisory and enforcement authority of state regulatory examiners as are other state chartered credit unions. NCUA’s rule, directly applicable to federally insured credit unions, will address the unique membership features of credit unions as well as determine the ownership interest federally insured credit unions must have in CUSOs in order for these entities to be considered "affiliates" for purposes of the privacy rule. These variations by NCUA will be important to the cooperative nature of the credit union movement and carry forth the directive of Congress, as reflected in the Conference Report, that "agencies…should take into consideration any adverse competitive effects upon small commercial banks, thrifts, and credit unions." We believe that allowing all credit unions to rely on the same language will improve compliance because all credit unions can be provided the same training opportunities and supervisory oversight by their state examiners. Our request can be achieved simply by inserting the following language at the end of Section 313.1(b): "Credit unions subject to the Commission’s enforcement authority will be subject to the provisions of 12 CFR 716." We have also attached our comment letter to NCUA with regard to the federally insured credit unions that are both state and federally chartered. With regard to the treatment of CUSOs as affiliates, the federal regulators are using a 25% threshold for determining if an entity is an affiliate. This threshold derives from Section 23A of the Federal Reserve Act. The NCUA has specifically requested comment on whether a CUSO that is 100% owned by credit unions should be considered an affiliate of all the investing credit unions, regardless of whether any one credit union owns 25%. This issue has been raised out of recognition that CUSOs occupy a unique role in the credit union cooperative structure with no parallel in other types of institutions and that CUSOs are subject to restrictions that do not apply to other types of affiliates. For a number of reasons as described in the attached comment letter to NCUA, we are urging the NCUA Board to eliminate the 25% threshold. If the threshold is eliminated in NCUA’s final rule, this will apply to information that is disclosed by the credit union to the CUSO. However, this change will not apply to information that is disclosed by the CUSO to the credit union, unless the FTC adopts our suggested modification of Section 313.1(b) or changes its rule accordingly with regard to the CUSOs that are subject to the FTC’s jurisdiction. Thank you for the opportunity to comment on the FTC’s proposed privacy rule. If you or agency staff have questions about our comments, please give me a call at 202-218-7795. Jeffrey Bloch Attachment VIA FACSIMILE March 31, 2000 Ms. Becky Baker RE: NCUA’s Proposed Rule on Privacy (Part 716) Dear Ms. Baker: The Credit Union National Association (CUNA) appreciates the opportunity to comment on NCUA’s proposed rule on privacy. CUNA represents more than 90 percent of our nation’s 10,900 state and federal credit unions. The following comments were developed by CUNA with input from the credit union leagues and CUNA’s Consumer Protection Subcommittee. Summary of CUNA's Position Credit unions are very concerned about the drafting of the initial, annual, and opt out notices. We hope the regulators will take the lead in developing model language or sample disclosures. CUNA will be happy to provide any needed assistance. These models or sample disclosures will help credit unions in their efforts to develop the notices as intended by Congress and the regulators. These models or samples should also mitigate litigation that may result from those who may challenge the sufficiency of the privacy notices. In the proposed rule, NCUA has requested comment on a number of specific issues. CUNA has reviewed the proposed rule and recommends the following changes, which are then described in further detail (please refer to the page number listed after each change for more information):
General Comments The proposed rule covers the requirements regarding initial and annual notices of privacy policies, the procedures that federally insured credit unions must use when providing consumers with the right to "opt out" of certain information disclosures, and the exceptions to the obligation to provide these opt out rights. The rule is required under the Gramm-Leach-Bliley Act (Act), which was signed by the President on November 12, 1999. Under the Act, final privacy rules must be issued by the appropriate federal regulators by May 12, 2000 and will be effective on November 13, 2000, unless a later date is specified in the final rules. As required under the Act, NCUA’s rule must be substantially similar to the rules of the other regulators, with certain exceptions to account for credit union specific issues. CUNA appreciates NCUA’s efforts in developing the proposed rule. We realize that NCUA and the other federal regulators had limited time to draft the rules and that substantial efforts were necessary in order to coordinate with the other regulators for purposes of drafting consistent rules. CUNA also appreciates that the rule closely follows the privacy provisions in the Act. When Congress considered these provisions, CUNA was actively involved to ensure that these provisions adequately address the privacy rights of credit union members. As noted by Senator Tim Johnson (D-SD) at CUNA’s recent Governmental Affairs Conference, "[c]redit unions have always been responsible protectors of their members’ financial privacy." CUNA was also actively involved in the legislative process to ensure that credit unions would not find themselves at a competitive disadvantage to the new financial conglomerates that will be formed in the future as a result of the Act. The Conference Report specifically recognized the legitimate concerns raised by CUNA and others on behalf of smaller financial institutions and the federal regulators have been directed, as part of the rulemaking process, to take into account any adverse competitive effects that may occur. CUNA also wanted to ensure that these provisions provide the necessary flexibility to allow credit unions to disclose financial information that is necessary for legitimate business purposes so that members may continue to receive high quality service and products in an efficient manner. We believe that the privacy provisions in the Act have accomplished these goals. As with any new consumer protection rule, credit unions will face a significant regulatory burden. The cost of preparing and mailing the privacy notices will be significant. Some estimates we have received indicate that the cost to send each notice could exceed one dollar. Of course, we are hopeful that credit unions will rely increasingly on electronic means for delivering the notices. Credit unions should be able to realize cost savings through these electronic means now and in the future as technology evolves. It is also our understanding that many credit unions are not prepared at this time to monitor and comply with the opt out notices that they may receive, especially if the requirements regarding joint accounts are not changed. Joint Accountholders, Co-borrowers, Guarantors, and Beneficiaries A very important issue regarding the notices is who should receive them when there is a joint account. This is also an issue with co-borrowers and guarantors. Other than the primary accountholder, credit unions often do not have the address for the other accountholders and are not currently able to send such notices to them. While credit unions will have addresses for co-borrowers, they do not have this information entered into data processing systems that allow retrieval for mass mailings. We have received many estimates from credit unions regarding the cost of obtaining this information. For example, one credit union with about 50,000 members has told us that it will spend about $200,000 in efforts to retrieve the necessary information. This includes the costs to reprogram the computer system and to make attempts to collect the information from the nonmember joint accountholders, co-borrowers, and guarantors. After spending this large amount of money, the credit union will still not be guaranteed that they will have the necessary information because the collection of this information will depend on the cooperation of these nonmembers. The cost estimate for this credit union is comparable to those received from other credit unions, after taking into account the differences in membership sizes. Because credit unions have little information about such individuals, it is not likely that they will need to send opt out notices to each accountholder, or even to co-borrowers or guarantors. For credit unions, the cost of retrieving the information clearly outweighs any benefit that would be derived from the use of that information. It also seems counterintuitive to require credit unions to collect additional information when one of the goals of the proposed rule is to safeguard the privacy of that information. Not having the information in the first place is the best way for credit unions to ensure that the information will not be disclosed inappropriately. Credit unions are also concerned that individuals will have a negative reaction to the collection of this information and will not accept the idea that collecting the information furthers the goal of protecting privacy. We believe a reasonable approach would be to not apply the privacy rule to categories of individuals for whom information is not collected by the credit union. If information is collected, these joint accountholders, co-borrowers, and guarantors should be considered consumers that are not customers. Under the proposed privacy rule, these types of consumers receive privacy notices only when information is shared with third parties, unless there is a specific exception. Another compelling reason to exclude joint owners from the privacy policy notification requirements is because primary members are permitted to name individuals as joint owners on share certificates without notifying the joint owners. In these situations, sending the privacy notice alerts the joint owners that their names are on these accounts. This invades the privacy of the primary member, which violates the goal of the privacy rule. We also note that joint accountholders, co-borrowers, and guarantors have a special relationship with each other, whether it is a family relationship or similar connection. It is natural to assume that these individuals will likely consult with each other when they receive important information about their account, such as the annual privacy notice. The need to send notices to all of the accountholders is especially questionable when the accountholders live in the same household, which is often the case. Although the accountholders may find the privacy policies useful, they may actually not be pleased to receive a copy for each accountholder, which they may perceive as unnecessary duplication. This displeasure may especially be the case for member-owned, not-for-profit credit unions where members may correctly perceive that the unnecessary cost will ultimately be borne by the members. This cost burden will be increased if credit unions have to undertake the time consuming process of identifying those who are parties to more than one account in order to avoid sending duplicate notices to a particular individual. It will also be a burden for the credit union to receive each opt out notice and determine all the accounts to which it may apply when the individual has interests in multiple accounts. This may also require monitoring for future accounts to which the opt out may later apply. These processes will impose a particular hardship on smaller credit unions that do not have sufficient resources to identify other accounts held by a joint owner. For the above reasons, we believe that an annual notice to the primary accountholder will be sufficient. In situations where opt out notices need to be sent out, we encourage NCUA to consider eliminating the requirement that an opt out notice be provided to all accountholders. This approach should also apply for co-borrowers and guarantors. As it is, monitoring which members submit opt out notices will be very difficult for credit unions and will be compounded if they need to track opt out notices from each accountholder of a joint account. This approach to providing privacy policies in a joint account situation is comparable to the requirements under Regulation DD (Truth in Savings), and the approach used for Internal Revenue Service Form 1099. There are additional reasons for excluding trust beneficiaries from the privacy rule. In general, we do not believe the privacy rule should apply to such beneficiaries, unless they are otherwise members of the credit union or have some other relationship apart from the trust account. Beneficiaries in a trust account have a contingent interest in that account. As such, we believe that the beneficiaries’ relationship with the credit union is also contingent, and they should not be considered to have a relationship with the credit union until the interest in the account transfers to them as required under the trust documents. Effective Date The final rule is currently scheduled to be effective as of November 13, 2000. This required compliance date will not give credit unions enough time to review their information sharing practices and then be able to describe them adequately in the privacy policies. This effort will also include rewriting contracts, redesigning data processing systems, training staff, and creating new forms. The required compliance date will pose a particular problem with regard to the opt out requirements. In order to comply with these requirements, credit unions will need to examine all of their information sharing practices to determine how they fit within the exceptions to the opt out requirements. Compliance with all aspects of the privacy rule will require significant expenditures. This includes additional staffing and working with data processors to analyze, evaluate, develop, test, certify, and implement the necessary data processing systems and internal policies in order to handle the distribution of the privacy notices and to properly account for the receipt of the opt out notices. Data processing efforts are already behind because of the impact of Y2K compliance. Larger credit unions with in-house data processing systems inform us that they will not be able to update their systems by year-end in an efficient manner. The privacy legislation had not yet passed when credit unions created their year 2000 budgets and their budgets likely do not include privacy compliance costs. Allowing a delay for required compliance by credit unions will help immensely in efforts to properly account for these expenses as credit unions prepare the 2001 budget. NCUA and the other regulators should also consider a delay because the privacy rule is intertwined with the provisions of the Fair Credit Reporting Act (FCRA) regarding the sharing of information among affiliates for credit reporting purposes. The Act authorizes the financial institution regulators to draft rules under the FCRA. NCUA and the other regulators should consider extending the required compliance date so that the privacy rule and the FCRA rules will become effective at the same time. This will help ensure a smoother transition for purposes of complying with the privacy rule. A smoother transition can also be assured if the required compliance date is delayed until the federal regulators distribute their proposed standards regarding the administrative, technical, and physical safeguards of consumer information. We are also concerned that the November 13, 2000 required compliance date will create overwhelming burdens for credit unions as they prepare for the recent final rule implementing prompt corrective action (PCA) and the upcoming final rule regarding complex credit unions. Some credit unions may need flexibility to prepare for the PCA rules and the privacy rule. Delaying the effective date would provide the needed flexibility. For these reasons, we propose that the required compliance date be delayed until April 13, 2001. We believe this date is appropriate for the proposed privacy rule because it will ensure that credit unions have the time they need to ensure compliance with the rule. This approach with regard to the effective date will also provide some flexibility for each credit union to choose which time of year would be best for sending the initial and future annual privacy notices. Some credit unions may prefer to include the notices with the year-end mailing while others may prefer to include the notices in mailings or newsletters that are sent in the first quarter of the year. In an effort to accommodate this flexibility, the final rule should clarify that credit unions will not need to repeat any compliance efforts that are undertaken prior to April 13, 2001. Because the effective date may pose a particular problem for smaller institutions such as credit unions, we would encourage NCUA to delay the effective date even if the other regulators do not allow such a delay. NCUA could permit such a delay under its authority to consider the unique nature of credit union structure and operations. If the effective date is not extended, the final rule should at least provide assurances that adverse actions will not be taken against credit unions that demonstrate a good faith effort in complying with the rule. Credit Union Service Organizations (CUSOs) and the Definition of "Affiliates" Under the proposed rule, a CUSO will be considered an affiliate of those credit unions that own at least 25% of the CUSO. We recognize that this threshold is being used by all of the other federal regulators for affiliates. However, the treatment of CUSOs is a unique credit union issue and NCUA should consider eliminating this requirement, regardless of how the other federal regulators treat this issue. The 25% threshold is derived from Section 23A of the Federal Reserve Act and is used to determine when companies are affiliated with financial institutions. The 25% threshold does not take into account the unique and historic relationship between CUSOs and credit unions. CUSOs are the primary means for credit unions to use for accomplishing activities under an affiliated structure. For federal credit unions, a CUSO is the only entity that can be an affiliate. CUSOs have a unique role in the credit union cooperative structure with no parallel in other types of financial institutions. Historically, a federal credit that invested in or made a loan to a CUSO was considered to be an affiliated credit union of the CUSO. For these reasons, there should not be any distinctions based on percentage thresholds. A relationship between a credit union and a CUSO is generally the same, regardless of whether a credit union may own 10, 20, or 25% of that CUSO. The credit union structure also differs from other financial institutions because other institutions now have greatly expanded powers to affiliate with a variety of other entities that provide financial services. Because credit unions cannot take advantage of these expanded powers, it is essential that there not be any percentage restrictions for determining if a CUSO is an affiliate of a credit union. The elimination of the percentage restriction will help to alleviate the disadvantage between credit unions and other financial institutions with regard to sharing information among affiliates. The relationship between credit unions and CUSOs are also subject to restrictions that do not apply to other affiliate relationships. For example, federal credit unions are restricted in the amount they may invest in CUSOs. A federal credit union may not generally invest more than one percent of its assets in CUSOs. Although credit unions and CUSOs vary in form and size, this one-percent restriction quite often hampers the ability of a credit union to own more than 25% of a CUSO. This seems rather unfair because other financial institutions do not have this restriction regarding investments in affiliates and these other institutions will therefore have an unfair competitive advantage. CUSOs are now allowed to be formed as limited liability partnerships. However, a federal credit union may only participate as a limited partner and is prohibited from investing as a general partner. If the final rule maintains the requirement that only CUSOs that are wholly owned by credit unions may qualify as an affiliate, the practical effect would be that CUSOs formed as limited liability partnerships could never qualify as affiliates for purposes of the privacy rule. CUSOs share the same interests that credit unions have regarding member privacy and recognize the need to protect privacy consistent with the goal of providing high quality services in an efficient manner. For these reasons, the simple approach would be to consider CUSOs as affiliates of credit union owners. If NCUA ultimately decides that the CUSO must be 100% owned by credit unions in order to be considered an affiliate of all the credit unions, then we urge NCUA to consider this requirement satisfied if any of the owners are credit union related organizations. An example would be service corporations owned by credit union leagues. This requirement should also be satisfied if a CUSO owner was a credit union at the time the CUSO was formed but later changed its charter to another type of financial institution. We also believe that any entity wholly owned by credit unions should be considered an affiliate for purposes of the privacy rule even if the entity is not set up as a CUSO. This would include CUNA Mutual, which is appropriate considering that CUNA Mutual is dedicated to serving the credit union movement. Regardless of how CUSOs in general are covered under the definition of "affiliate," we believe certain types of CUSOs should simply not be covered under the privacy rules. Two examples are shared branches and ATM networks. These types of CUSOs serve merely as conduits in order to provide efficient services for credit union members. These CUSOs do not maintain any personal information about the member other than what is needed to service the requested transaction. The shared branches and ATM networks should be excluded from the rule, and this same analysis should apply to all CUSOs that are merely conduits of the credit union. Use of the Term "Consumer" and "Customer" Instead of using the term "customer" and defining it as a subset of "consumer," we believe that these terms should be separated. "Consumer" should only refer to those individuals without a continuing relationship with the credit union. The term "customer" should be replaced with the term "member or other eligible individual" and should only refer to those with a continuing relationship with the credit union. Instead of repeating the term "member or other eligible individual" throughout the rule, the term "member" could be added to the list of definitions and could include the "eligible individuals" as part of the definition. Of course, this definition of member would only apply for purposes of the privacy rule. Definition of "Publicly Available Information" All of the federal regulators are proposing, or seeking comment on, two alternatives regarding the definition of "publicly available information." One alternative would define this term as information that is derived from public sources while the other alternative would define the term as information that could be derived from public sources, even if it is obtained from a nonpublic source. We believe NCUA should use the latter alternative. If such information is available from public sources, we do not believe members will be concerned about the distinction. This will more likely be the case if member lists, or other indications that an individual is a credit union member, are not disclosed without providing the opt out rights, as contemplated under the proposed rule. The latter alternative will also benefit credit unions because it will simplify compliance efforts. This alternative will be easier for credit union employees to follow and will be easier for credit union management in their efforts to train employees about how to treat member privacy. These benefits outweigh the possible infringement of a member’s privacy, which we believe is negligible. With regard to the treatment of member lists, credit unions are not generally opposed to the idea that nonpublic information includes the fact that an individual is a credit union member. However, we believe that the disclosure requirements should not be interpreted to require privacy disclosures when mentioning noteworthy facts about members in a newsletter, annual report, or disclosing information about members who want to serve on the board of directors. Subjecting the sharing of this information to disclosure requirements may ultimately impede volunteerism, which is a hallmark of the credit union movement. A limited exclusion to the member list prohibition should also apply when credit union members want to obtain names and addresses from the credit union for purposes of obtaining proxies. Choosing our preferred alternative regarding the definition of "publicly available information" and allowing disclosure of member lists in limited situations will also resolve another problem for credit unions. Under the proposed rule, it appears that privacy notices will have to be given if a credit union contracts with a third party for the purpose of merely mailing the credit union’s marketing materials. This requirement to deliver the privacy notices in this situation seems rather excessive and unfair considering that larger financial institutions can mail these materials in-house and will not face this problem. Credit unions would also benefit if the definition of "nonpublic personal information" excluded information about a member or other individual that does not contain a personal indicator. In addition to the example provided by NCUA regarding aggregate information about mortgage loans, this exclusion would prevent disruptions of other practices. Examples include providing information for surveys, financial modeling, or for other types of demographic studies, such as mapping the membership base for purposes of locating new branch sites. Definition of "financial institution" and "financial products or services" We believe it would be helpful if the rule were to provide more information regarding the definition of "financial institution" and "financial products or services." The proposed rule refers the reader to Section 4(k) of the Bank Holding Company Act. This will be confusing because overall credit unions are not as impacted by the Act as other financial institutions and would not necessarily be aware that Section 4(k) was added by the Act. Adding the provisions of Section 4(k) as an appendix to the rule would help alleviate this confusion. Also, these definitions will require constant interpretations by the Federal Reserve Board. It is important that there be a mechanism where these interpretations can be communicated regularly to credit unions in an easily understood format. We ask that you raise this with the Federal Reserve Board as you proceed to finalize the rule. CUNA will also send a comment letter directly to the Federal Reserve Board regarding this issue. Initial, Annual, and Opt Out Notices Providing initial notice "prior to" establishing the continuing relationship In most circumstances, the proposed rule requires that an initial notice be given to a consumer "prior to" establishing a continuing relationship. We note that the language in the Act differs on this point and requires that the notice be given "at the time of establishing" the relationship. The language in the rule should be similar to the delivery rules under Section 707.4 of NCUA’s Truth in Savings rules. We understand that the privacy rule is intended to provide the initial notice at a point in time so that the consumer can compare privacy policies among financial institutions. However, in most circumstances, the notice will be given at the time that a consumer applies for membership. Whether the notice is provided at the time the application is given to the consumer, or after the application is processed by the credit union, will likely have no practical effect on a consumer’s ability to compare privacy policies. We believe that consumers will be satisfied if they receive the policy at around the same time that the application is being processed. Our suggestion here would be to permit the credit unions to have the privacy notices available at the branch and to either provide the notice to individuals who are interested in receiving a copy at that time or deliver the notice shortly thereafter. Under this approach, the credit union will then have the flexibility to mail the notice to the new member shortly after the account relationship is established. This approach will allow the new member to see the notice at the time the relationship is established for purposes of comparing privacy policies among financial institutions but will also provide needed flexibility for the credit union. It will also facilitate the opening of accounts by telephone or by way of on-site sponsor visits where it would be impossible to provide a notice "prior to" establishing the relationship. "Dormant" accounts Under the proposed rule, a credit union will not be required to send annual notices to members or others after the time that the continuing relationship is terminated. NCUA has requested comment on the examples in the proposed rule as to when a credit union no longer has a continuing relationship with a member or other individuals. The examples generally provide a clear standard as to when the continuing relationship is terminated. However, the example regarding a dormant account for nonmember accounts is confusing for credit unions because they may not understand the reason for the distinction between member and nonmember accounts. Bad addresses Credit unions typically do not continue to mail statements when they have been sent to "bad addresses." In some cases, especially where the membership is transient, this can exceed five percent of the mailing. The final rule should clarify that there is no requirement to mail an initial or annual notice to an account that is determined to be a bad address. Provisions in the notice regarding the opt out exceptions Under the proposed rule, when addressing certain exceptions to the opt out requirements, the initial and annual notice need only state that the credit union makes such disclosures to nonaffiliated third parties as permitted by law. We believe this is adequate for purposes of the privacy rule. Credit unions on their accord may decide to provide more information as a means to reassure members that such disclosures made under these opt out exceptions are for purposes that benefit the membership. The decision to include such additional information should be decided by the credit union and not included in the final rule. As an aside, we believe credit unions will better understand the opt out provisions if the definition of "opt out" is moved from Section 716.7 to the list of definitions under Section 716.3. Responsibility regarding third parties In certain situations, such as indirect lending and loan participations, we are uncertain about the responsibilities that the credit union may have with regard to the privacy rule. We ask that NCUA work with the other federal regulators to consider these issues and to provide guidance in the final rule. In the case of loan participations, borrowers will not benefit if they receive duplicate disclosures from all of the participating lenders. On a somewhat related issue, we urge NCUA to clarify how the rule will apply in a merger situation with regard to a member of a merged credit union who has already exercised the opt out option. Although we recognize that the surviving credit union may have to provide a copy of its policies to the new members that result from the merger, we believe the final rule should be clarified so that these policies can be mailed as part of the next annual mailing cycle. Policies regarding confidentiality, security, and integrity of nonpublic personal information The initial and annual privacy notices must describe the credit union’s policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information. This may be satisfied by providing an explanation of who has access to the information, the particular circumstances under which it may be accessed, and measures to protect the information from threats and hazards. However, this does not need to include technical information about the safeguards. Although we appreciate the flexibility, credit unions would appreciate either more guidance in this area or examples of language that would be acceptable. Alternatively, the final rule should at least provide assurances that adverse actions will not be taken against credit unions that demonstrate a good faith effort in describing these practices. The Opt Out Election Process 30-day reply period CUNA opposes separate opt out options for joint accountholders and co-borrowers. The primary accountholder and borrower should control the opt out decision. As noted earlier, credit unions do not collect information about these individuals in an organized and retrievable form and the opt out provisions should not apply in these situations. Under the proposed rule, when a credit union provides an opt out notice by mail, it must allow the member or other individual a reasonable period of time, such as 30 days, to opt out. Although we do not necessarily disagree that a 30-day period is "reasonable," we question the reason for a specific time period here but not in other contexts. For example, if a credit union and a member or other individual orally agree to enter into a continuing relationship and the credit union wants to disclose information, the opt out notice may be given at a reasonable time afterwards, if the consumer agrees. No specific time period is offered for this situation. In these and similar situations, credit unions are in the best position to determine the reasonable time period. Credit unions may very well decide that the 30-day period is reasonable but they should be able to make that decision. Also, if the consumer elects to opt out after the reasonable time period, the final rule should clearly state that a credit union will not be required to notify vendors that have already received the consumer’s information, unless the vendor requests updated information after the opt out is received. Stamped reply form The proposed rule provides examples of methods of providing members and others with a reasonable means to exercise an opt out right. One of these examples refers to a "self addressed, stamped reply form." This example does not appear to be required but there may be confusion as to whether it is required for credit unions to pay the cost of the postage required to mail the opt out reply back to the credit union. The cost of this postage will add substantially to the burden that credit unions will already face with regard to providing the necessary initial, annual, and opt out notices. This includes the burden associated with storing the opt out replies that are sent back to the credit union. As member-owned, not-for-profit cooperatives, the membership will ultimately have to bear this cost. The cost will depend on how many opt out replies are sent to the credit union and to the extent that any stamped reply envelopes are used for other purposes. Unlike other financial institutions, credit unions cannot offset this cost against any profits that may exist. As an example of the burden posed by the stamped reply form, one credit union has informed us that it will face an annual cost of $44,000 to send the notices as required under the proposed rule. About $30,000 of this cost is directly associated with the requirement to provide the stamped reply form. The cost to each member to mail the reply back to the credit union is rather small compared to the significant cost to credit unions if they are required to pay this cost on behalf of all their members and the nonmembers who may be affected. We do not believe that members or others will be concerned about paying the relatively minimal cost of the postage necessary to mail the opt out reply back to the credit union. Most individuals seem to accept the responsibility of the cost necessary to initiate communications through the use of the postal service. Exceptions to the Opt Out Requirements Service provider/joint marketing exception The proposed rule provides a number of exceptions to the requirement of sending opt out notices when information is disclosed to nonaffiliated third parties. One exception is when the credit union discloses nonpublic information to a nonaffiliated third party that performs services for the credit union. This exception also includes marketing of products and services offered under joint agreements with other financial institutions. The Act requires that such sharing of information be "fully disclosed" to the member. Under the rule, credit unions will comply with this requirement of the Act if they provide the member or other individuals with the initial notice that describes these information disclosures. NCUA has requested comment as to whether providing of the initial notice appropriately implements the "fully disclosed" requirement under the Act. We believe that it does appropriately implement the statutory requirement and that this is sufficient for both the credit union and the membership. The initial or annual notice is intended to provide a clear and conspicuous description regarding the credit union’s privacy policies, including the disclosure of information to service providers. We believe members or other individuals will appreciate that these notices are the primary source that they can refer to for information regarding the disclosure of their personal information. Assuming these notices are drafted as intended by the Act and the rule, we do not believe members or other individuals will see the benefit of additional information, at least not to any extent that would outweigh the cost burden to the credit union. In general, the provisions in the proposed rule regarding the service provider/joint marketing exception are sufficient to protect the privacy of members and others who have a relationship with the credit union. One possible suggestion, however, would be to include the annual notice, in addition to the initial notice, as information that could also be disclosed to satisfy the requirement. For the service provider/joint marketing exception, NCUA has requested comment on whether there should be additional requirements regarding the disclosure of the information. As NCUA points out, joint agreements may carry certain risks. One suggestion is to require credit unions to take steps to ensure that jointly marketed products pose no undue risks on the credit union. This might include ensuring that the credit union’s sponsorship is evident from the marketing of the product or service. For joint marketing agreements, credit unions are in the best position to assess the risks, either on their own or with outside assistance, and to take the necessary actions to protect themselves. Nothing in the final rule should be included to require documentation of the credit union’s assessment of the risks. Examples of joint marketing agreements would be helpful. However, joint marketing agreements may take many forms and that should be clarified if examples are provided in the final rule. On a somewhat related matter, we believe the Act does not prohibit the disclosure of encrypted account numbers to a marketing firm if the marketer does not receive the key to decrypt the number. We encourage NCUA to permit the release of the encrypted account number without the key in situations where there is a joint marketing agreement. This approach will serve to protect consumer privacy while also providing a tool for administrative efficiency in processing consumer initiated transactions. Exception for transaction processing Another exception to the opt out requirement is for disclosures necessary to enforce or administer an authorized transaction. This exception should clarify that all activities related to possible collection activities should be included, such as monitoring real estate and automobile loans to ensure that there is sufficient insurance for purposes of protecting the collateral. Exception for consumer consent Another exception to the opt out requirement is when there is consent from the member or others with a relationship with the credit union. NCUA has raised an issue as to whether there should be safeguards to minimize potential for confusion. Such safeguards should not be in the rule. It is in the credit union’s best interest to avoid the potential for confusion. The cost and burden of member dissatisfaction provide sufficient incentive to avoid such a result. Credit unions are also in the best position to determine the best methods for avoiding such confusion. Redisclosure Under the proposed rule, when a credit union discloses nonpublic personal information to a nonaffiliated third party, the third party may not redisclose that information unless it would have been "lawful" if made directly by the credit union. NCUA has requested comment on whether credit unions should be required to develop procedures to ensure that third parties comply with the limits on redisclosure. Although some credit unions may choose to develop such procedures, we do not believe that they should be required. Such a requirement could result in audits of third party practices, which would be very burdensome and costly. Other than the credit union’s responsibility to enter into a contract to limit the use of the information and to ensure confidentiality, the third parties must assume ultimate responsibility for complying with the privacy rules issued by the agency that regulates the third party. If NCUA ultimately decides to adopt provisions in the final rule requiring such procedures, we believe such provisions should only apply if a credit union has reason to believe that the third party will not comply with the limits on redisclosure. Examples We appreciate the examples that are provided in the proposed rule and NCUA’s efforts to draft specific examples that are applicable to credit unions. However, there are certain examples that credit unions will be concerned about, such as the requirement for inclusion of a stamped reply with the opt out notice and the 30-day period as a reasonable time for individuals to exercise an opt out right. Although these may not be required, including this in the rule as an example may still give the impression that these examples must be adhered. For this reason, we suggest that such examples be included in the supplementary material and not in the rule itself. We also request another possible example. With regard to sending the annual and opt out notice, it would be useful to include an example that permits credit unions to send an e-mail to the members or other individuals that directs them to a website that contains the necessary information. This, of course, would be with the understanding that there would be consent to receive such notices electronically. Although the proposed rule would probably permit such an alternative, we believe a specific example is warranted. While no one can predict the evolution of technology, this example may over time be an appealing alternative for credit unions. Also, the Federal Reserve Board has recently issued proposed rules that would permit financial institutions to provide the disclosures required under Regulations B, E, Z, M, and DD by electronic means. These rules specifically provide financial institutions with the ability to send an e-mail to consumers that directs them to a website that contains the actual disclosure. We understand that the federal regulators want the privacy rule to be consistent with the Federal Reserve Board’s electronic disclosure rules and providing this specific example would help to achieve this consistency. It would also be helpful to provide examples with regard to the provisions that outline the exceptions to the notice and opt out requirements. Examples that would be particularly helpful would be those that illustrate the disclosure of nonpublic personal information "to perform services for you or functions on your behalf," "to effect, administer, or enforce a transaction," and "to service or process a financial product or service." Also, the notice provisions of the rule refer to the disclosure of a credit union’s "privacy policies and practices." However, the required contents of the initial and annual notices refer mainly to the policies of the credit union. Confusion can be minimized if the references to "practices" are removed. * * * * * * * * * * * * Thank you for the opportunity to comment on NCUA’s proposed rule on privacy. If Board members or agency staff have questions about our comments, please contact General Counsel Eric Richard at (202) 218-7796, Senior Vice President and Associate General Counsel Mary Dunn at (202) 218-7769, or me at (202) 218-7795. Sincerely, Jeffrey Bloch |