Privacy of Member Information (Ch. 4) Flashcards
Which law is implemented by Regulation P? What federal agency has rulemaking authority regarding Regulation P?
Gramm-Leach-Bliley Act of 1999. CFPB.
What kind of information is protected by Regulation P?
Nonpublic Personal Information (NPI)
- Personally identifiable financial information (information that a credit union collects about a consumer in connection with providing a financial product or service)
Examples:
– Info provided during an application process
– Info about an account’s terms, status or history
– Info pertaining to the consumer’s membership - Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available (information of the type to be publicly available and where the member has not blocked its availability)
What is the difference between customers and consumers? Which group receives notices and an opportunity to opt out under Regulation P?
- Consumer: Individual who obtains or has obtained a financial product or service from a credit union that is to be used primarily for personal, family or household purposes
- Customer: Consumer who has a customer relationship with the credit union. A customer relationship means a continuing relationship between a consumer and the credit union where the credit union provides one or more financial products or services to the consumer that are to be used primarily for personal, family or household purposes
The opt-out disclosure must first inform the consumer that the credit union may share the member’s information, that the member can opt out of that sharing and inform the consumer on how to exercise that right to opt out.
When is an initial privacy notice required?
When a member establishes a customer relationship with the credit union. It must also provide the notice to consumers before it discloses information to a nonaffiliated third party unless it does so under an exception.
When is an annual notice NOT required?
- Where the credit union does not share information with third-parties in a way that triggers the member’s opt-out rights
- There have been no changes to the information sharing policies and practices which were last disclosed to the member.
When are revised notices required?
Only when the credit union changes its disclosure policies in the following ways
– Adds a new category of NPI being disclosed to non-affiliated third parties
– Adds a new category of non-affiliated third parties it is disclosing NPI to
– Discloses NPI of former members and they have not otherwise had an opportunity to opt out
How can a credit union deliver notices under the privacy rule?
Delivered so that the consumer can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically
Loan Product: A single initial notice can be provided for both unless the notice includes an opt-out disclosure
Annual Notice - Same as initial notice, but with the following additions:
- Posting on the credit union’s website if the credit union knows the member uses the website to access products or services
- Member requests the notice not be sent, and the credit union does not send it, but it is available upon their request
What are the EXCEPTIONS for sharing information without following the notice and opt-out rule? To take advantage of the service provider and joint marketing exception, does the credit union have to do anything regarding third parties?
- Service Providers and Joint Marketers (2 conditions)
• Sharing with these parties must be described in the credit union’s privacy notices
• Credit union must have a contract with the third party that limits use of member information and protects member information
– The credit union cannot disclose a member’s account number to the nonaffiliated third party for marketing purposes.
– Encrypted numbers are okay - Processing and Servicing Transactions
• Disclosure to carry out routine business transactions involving existing accounts like servicing loans, preparing statements, processing payments, verifying funds, etc. - General Exceptions
• Member’s consent
• Credit union’s auditors, attorneys and accountants
• Credit reporting agencies
• To respond to examiners
• To respond to a subpoena or summons by federal, state or local authorities, etc.
When is the credit union required to provide an opt-out notice?
- Provide disclosure of the sharing the credit union does in its initial, annual, and revised notices
- Provide an Opt-Out Notice identifying the categories of NPI disclosed, the categories of nonaffiliated third parties disclosed to, and describing the right to opt out
- Provide a reasonable opportunity to opt out
Credit unions that wish to disclose information to nonaffiliated third parties must provide opt-out disclosures in their privacy notices describing the member’s right to opt out of the disclosure and then provide a reasonable opportunity for consumers to opt out of those disclosures.
What kind of information sharing is governed by the Affiliate Marketing Rule?
- The rule only prohibits covered credit unions and their affiliates from using ELIGIBILITY INFORMATION for marketing purposes.
- The rule defines eligibility information as “any information which would be a consumer report if the exclusions from the definitions of consumer report [in the FCRA] did not apply.”
• Personal identifiers
• Credit worthiness, standing, capacity
• Character, reputation, characteristics
What does the Affiliate Marketing Rule require credit unions to do in order to do the information sharing which is covered by the rule?
Neither may use “eligibility information” received from the other to make a “solicitation” for “marketing purposes” unless:
1) the information sharing practice is disclosed to the member
2) the member has a reasonable opportunity to opt out
3) the member does not opt out.
What are the rules surrounding a member’s ability to opt out? Can it expire? Can it be revoked?
The consumer must be given a reasonable and simple method for opting out and may opt out at any time.
• 30 days is a safe harbor reasonable opportunity
• 5 years is the minimum effective period for the opt out
• If an expiration date is listed, a renewal notice must be sent
• Notice can be combined with the annual privacy notice, if it is required
What is CAN-SPAM?
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act establishes limitations and requirements on unsolicited commercial email messages.
- Generally prohibits the use of false or misleading header information in credit union emails.
- Header information includes the address and domain and email is sent from and to, and the routing information.
What is the difference between commercial content and transactional or relationship content? Are transactional/relationship emails subject to all of CAN-SPAM’s restrictions?
› Commercial content – advertises or promotes a commercial product or service, including content on a website operated for a commercial purpose
› Transactional or relationship content – facilitates an already agreed-upon transaction or updates a member about an ongoing transaction
If the primary purpose of an email is transactional or relationship, it may not contain false or misleading header information, but is otherwise exempt from most provisions of the CAN-SPAM Act.
If an email falls into the commercial content category, what are the restrictions on the message?
It must comply with all of the requirements of CAN-SPAM.
– No deceptive subject lines
– Identifies the message as an advertisement
– Includes an opportunity to unsubscribe
– Includes a physical address and mechanism for return e-mail
– No further transmission after they unsubscribe