CUNA waged a two-front battle to address this regulatory burden, pressing Congress to make a statutory change and the Consumer Financial Protection Bureau (CFPB) to ease this burden through regulation.
In October 2014, the CFPB amended the privacy regulation (Regulation P, 12 CFR 1016) to provide an alternative to the annual mailing requirement. Since this new privacy amendment went into effect Oct. 28, 2014, many credit unions have asked whether this means an end to the annual privacy disclosure mailings.
The answer is, “it depends.”
Although credit unions should be pleased with the CFPB’s willingness to address the burdensome annual privacy notice mailings, several conditions must be met for a credit union to use this new “alternative delivery method.”
As a quick review, the privacy regulation—which has been in place since 2000—is a disclosure rule and doesn’t prohibit a credit union from sharing information with other organizations. But a credit union may not disclose any nonpublic personal information about a member to a nonaffiliated third party unless:
Such sharing is covered by an exception, or
The credit union provides to the member a disclosure and opt-out notice, the member is given a reasonable opportunity to opt out, and the member doesn’t opt out.
The regulation also requires credit unions send privacy notices to each member annually. Credit unions can deliver written notices by hand, mail them to the members’ last known address (such as in a periodic statement or newsletter), or email them to members who conduct transactions electronically. The bureau refers to this as the “standard delivery method.”
Alternative delivery eligibility criteria
To be eligible to use the alternative delivery method, a credit union must meet the following criteria:
• Information-sharing can’t trigger opt-out rights. If the credit union shares nonpublic personal information in a way that requires an opt-out option for members, the credit union isn’t eligible for the alternative delivery method.
In other words, members’ nonpublic personal information must only be shared with nonaffiliated third parties as allowed by the exceptions in the regulation, such as joint marketing agreements with other financial institutions, process and servicing transactions, and for security or confidentiality purposes.
• Information in the privacy notice cannot have changed substantively since the member received the notice via the standard delivery method.
To provide greater flexibility, the CFPB does allow certain information on the privacy notice—such as the credit union’s name or the elimination of categories of information it shares—to change without jeopardizing use of the alternative delivery method.
A credit union that makes a substantive change to its information-sharing practices or its “policies and practices regarding protecting the confidentiality and security on nonpublic personal information” will have to first send a revised privacy notice via a standard delivery method before it can use the alternative delivery method to comply with the annual privacy notice requirement.
• The model privacy form must be used. Many credit unions didn’t change their privacy notices when federal agencies issued the optional model privacy form in 2009.
During this regulation’s development, CUNA raised concerns with the CFPB that requiring the use of the model form could obstruct many credit unions from the regulatory relief the rule provides. The bureau responded favorably by stating that changes to the privacy notice’s wording and layout don’t constitute a policy change.
So, a credit union may adopt the model form, load the model form on its website, inform members of its availability, and use the alternative delivery method immediately to satisfy its annual notice requirements—so long as it hasn’t substantively changed its privacy policies since the last mailed notice.
• Information shared by the relatively few credit unions that have "control over an affiliate"—meaning credit union service organizations (CUSOs)—might be subject to two additional eligibility criteria triggered by the Fair Credit Reporting Act (FCRA).
This depends on whether the credit union shares information such as credit reports or transaction histories with its CUSO. These credit unions need to closely review the new regulation to determine how to comply.
Alternative delivery method requirements
Eligible credit unions that choose to use the alternative delivery method to provide members with an annual privacy notice must:
• Inform members in a clear and conspicuous manner—at least annually—on an account statement, coupon book, notice, or disclosure that the privacy notice is available on the credit union’s website, will be mailed to members upon request, and hasn’t changed.
This availability notice must also include a specific Web address that takes the member directly to the page where the credit union posts its privacy notice, and a telephone number for members to request that the credit union mail the notice.
Although the proposal called for a toll-free number, CUNA successfully requested removal of that requirement.
This availability notice must be printed on a statement or notice the member likely will read—such as a periodic statement, but not an advertisement or newsletter.
• Post the current privacy notice in a continuous, clear, conspicuous, and easily accessible manner on its website. The credit union can't require a log-in name, password, or similar steps, and can’t impose any conditions for access.
Although the rule requires that the Web page hosting the privacy notice include only that content, the CFPB allows a link to supplemental privacy information located elsewhere on the credit union’s website.
• Mail the current privacy notice to members who request it by telephone within 10 calendar days. The CFPB doesn’t prohibit the credit union from including other materials when it mails the privacy notice.
Strictly a business decision
So, is mailing the privacy notice a thing of the past? That depends whether the credit union meets the eligibility criteria and, if so, whether the credit union complies with the necessary procedures.
Of course, if the credit union’s privacy policies substantively change, a new privacy notice must be mailed—or hand-delivered or emailed—to members and reposted on the credit union’s website for the new annual notice cycle.
Just as CFPB didn’t force credit unions to use the model form released in 2009, the bureau doesn’t require credit unions to use the alternative delivery method now.
Many credit unions will find notable cost savings in posting their privacy notices online, with an annual alert incorporated into their periodic statements.
But some credit unions, particularly smaller ones, might decide to keep mailing—or incorporating into their newsletter—a privacy notice that hasn’t changed for many years.
This is a business decision, not a regulatory mandate.
COLLEN KELLYis CUNA’s senior assistant general counsel for federal compliance. Contact CUNA’s compliance department at firstname.lastname@example.org.