Privacy of Consumer Financial Information (Regulation P)

Title V, Subtitle A of the Gramm-Leach-Bliley Act (GLBA) [1] governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) [2] granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (CFPB) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction. [3] In December 2011 the CFPB re-codified in Regulation P, 12 CFR Part 1016, the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (FTC), the NCUA, the OCC, and the former OTS. [4]

On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information. [5] The final rule adopting the model privacy form was effective on December 31, 2009.

On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circumstances. [6] The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions.

As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act [7] (FAST Act) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment.

There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice.

Under the authority of GLBA and the Fair Credit Reporting Act, NCUA issued the Guidelines for Safeguarding Member Information, 12 CFR Part 748, Appendix A (Security Guidelines). The Security Guidelines require a credit union to establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity, and proper disposal of information. The Security Guidelines impose requirements separate from the privacy requirements of GLBA and Regulation P and address safeguarding the confidentiality and security of information and ensuring proper disposal of information. The Security Guidelines are directed toward preventing and responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that credit unions must contractually require their affiliated and nonaffiliated third-party service providers that have access to the credit union’s data containing personal information to protect that information. NCUA has also released the IT Security Compliance Guide, which is intended to help credit unions comply with the Security Guidelines.

You can find the full text of Regulation P here. You can find the sections of the GLBA relevant to consumer financial privacy here.

Associated Risks

Compliance Risk can occur when the credit union fails to implement the necessary controls to comply with Regulation P.

Reputation Risk can occur when members of the credit union learn of its failure to comply with Regulation P.

Examination Objectives

• To assess the quality of the credit union’s compliance management policies, procedures, and internal controls for implementing the regulation, specifically ensuring consistency between what the credit union tells consumers in its notices about its policies and practices and what it actually does.
• To determine the reliance that can be placed on the credit union’s policies, procedures, and internal controls for monitoring the credit union’s compliance with the regulation.
• To determine the credit union’s compliance with the regulation, specifically in meeting the following requirements:
  • Providing members notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each member can reasonably be expected to receive actual notice;
  • Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving members notice and the right to opt out;
  • Appropriately honoring member opt out directions;
  • Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
  • Disclosing account numbers only according to the limits in the regulation.

  Examination Procedures [8]

  1. Through discussions with management and review of available information, identify the credit union’s information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:
     1. Notices (initial, annual, revised, opt-out, short-form, and simplified);
     2. Credit union privacy policies, procedures, and internal controls, including those to:
        • Process requests for nonpublic personal information, including requests for aggregated information;
        • Deliver notices to consumers;
        • Manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
        • Prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
        • Prevent the unlawful disclosure of account numbers;
     3. Information sharing agreements between the credit union and affiliates and service agreements or contracts between the credit union and nonaffiliated third parties either to obtain or provide information or services;
     4. Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under §1016.13 are met and whether the credit union is disclosing account number information in violation of §1016.12);
     5. Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including information collected electronically through Internet cookies; or through ATM transactions);
     6. Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party;
     7. Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically;
     8. Records that reflect the credit union’s categorization of its information sharing practices under § 1016.13, § 1016.14, § 1016.15, and outside of these exceptions; and
     9. Results of a 501(b) (15 U.S.C. 6801(b)) inspection (used to determine the accuracy of the credit union’s privacy disclosures regarding information security).
     1. Sufficiency of internal policies, procedures, and internal controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;
     2. Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;
     3. Frequency and effectiveness of monitoring procedures;
     4. Adequacy and regularity of the credit union’s training program;
     5. Suitability of the compliance audit program for ensuring that:
        • The procedures address all regulatory provisions as applicable;
        • The work is accurate and comprehensive with respect to the credit union’s information sharing practices;
        • The frequency is appropriate;
        • conclusions are appropriately reached and presented to responsible parties;
        • Steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and
     6. Knowledge level of management and personnel.
     1. Summarize all findings.
     2. For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.
     3. Identify action needed to correct violations and to address weaknesses in the credit union’s compliance system, as appropriate.
     4. Discuss findings with management and obtain a commitment for corrective action.

     PRIVACY NOTICE AND OPT OUT DECISION TREE

     

     Alternative Text

     Does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.14 and/or § 1016.15 and outside of the exceptions (with or without also sharing under § 1016.13)?

     If yes, then Module 1,

     • Privacy notice (presentation, content, and delivery) (with or without § 1016.13 notice & contracting)
     • Short form notice (optional for consumers)
     • Customer notice delivery rules
     • Opt out rules

     Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties under § 1016.13, and § 1016.14 and/or § 1016.15 but not outside the exceptions?

     If yes, then Module 2,

     • Privacy notice
     • Customer notice delivery rules
     • § 1016.13 notice & contracting

     Otherwise if no, does the credit union share nonpublic personal information with nonaffiliated third parties only under § 1016.14 and /or § 1016.15?

     If yes, then Module 3,

     • Privacy notice
     • Simplified notice (if applicable)
     • Customer notice delivery rules

     REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION RECEIVED FROM NONAFFILIATED FINANCIAL INSTITUTIONS DECISION TREE ( §§ 1016.11(a) and 1016.11(b) )

     

     Alternative Text

     Does the credit union receive nonpublic personal information from nonaffiliated financial institutions? If no, then no review necessary.

     If yes, how is that information received?

     If under §§ 1016.14 and/or 1016.15, then Module 4 receipt of information under §§ 1016.14 and/or 1016.15.

     If Outside of §§ 1016.14 and/or 1016.15, Module 5 receipt of information outside of §§ 1016.14 and/or 1016.15.

     ACCOUNT NUMBER SHARING DECISION TREE
     (§ 1016.12)

     

     Alternative Text

     Does the credit union share account numbers or similar access numbers or codes with nonaffiliated third parties (other than a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing?

     If no, then no review necessary. This may include sharing of encrypted account numbers but not the decryption key.

     If yes, then Module 6 Account number sharing.

     Module 1 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.14 and/or 1016.15 and outside of the exceptions

     (With or without also sharing under § 1016.13)

     Note: Credit unions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these credit unions are held to the most comprehensive compliance standards imposed by the regulation.

     Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P §§ 1016.14 and 1016.15) or regulations prescribed under GLBA § 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503. A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

     1. Disclosure of Nonpublic Personal Information
        1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
           1. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers (both members and those who are not members) in its notices about its policies and practices in this regard, and what the credit union actually does, are consistent (§§ 1016.6, 1016.10).
           2. Compare the information shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§ 1016.10).
           1. Review the credit union’s initial, annual and revised notices, as well as any short-form notices that the credit union may use for consumers who are not members. Determine whether or not these notices:
              1. Are clear and conspicuous (§§ 1016.3, 1016.4, 1016.5(a)(1), 1016.8(a)(1));
              2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a), 1016.5(a)(1), 1016.8(a)(1)). Note: this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
              3. Include, and adequately describe, all required items of information and contain examples as applicable (§ 1016.6). Note that if the credit union shares under nonpublic personal information under § 1016.13 the notice provisions for that section shall also apply.
              4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
              1. Timeliness of delivery (§§ 1016.4(a), 1016.7(c), 1016.8(a)); and
              2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9).
              3. For members only, review the timeliness of delivery (§§ 1016.4(d), 1016.4(e), 1016.5(a)), means of delivery of annual notice (§ 1016.9(c)), and accessibility of or ability to retain the notice (§ 1016.9(e)).
              1. Review the credit union’s opt-out notices. An opt-out notice may be combined with the credit union’s privacy notices. Regardless, determine whether the opt-out notices:
                 1. Are clear and conspicuous (§§ 1016.3(b) and 1016.7(a)(1));
                 2. Accurately explain the right to opt-out (§ 1016.7(a)(1));
                 3. Include and adequately describe the three required items of information (the credit union’s policy regarding disclosure of nonpublic personal information, the consumer’s opt-out right, and the means to opt-out) (§ 1016.7(a)(1)); and
                 4. Describe how the credit union treats joint relationships, as applicable (§ 1016.7(e)).
                 1. Timeliness of delivery (§ 1016.10(a)(1));
                 2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§ 1016.9);
                 3. Reasonableness of the opportunity to opt-out (the time allowed to and the means by which the consumer may opt-out) (§§ 1016.10(a)(1)(iii), 1016.10(a)(3)); and
                 4. Adequacy of procedures to implement and track the status of a consumer's (members and those who are not members) opt-out direction, including those of former members (§§ 1016.7(e)-(g)).
                 Checklist Cross References – Module 1

                 Regulation Section	Subject	Checklist Questions
                 1016.4(a), 1016.6(a, b, c, e), and 1016.9(a, b, g)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 41
                 1016.4(a, c, d, e), 1016.5, and 1016.9(c, e)	Customer notice delivery rules	1, 3-7, 37-39
                 1016.13	§ 1016.13 notice and contracting rules (as applicable)	12, 48
                 1016.6(d)	Short form notice rules (optional for consumers only)	15-17
                 1016.7, 1016.8, and 1016.10	Opt-out rules	19-34, 42-44
                 1016.14 and 1016.15	Exceptions	49-51

                 Module 2 - Sharing nonpublic personal information with nonaffiliated third parties under §§ 1016.13 , and 1016.14 and/or 1016.15 but not outside of these exceptions

                 Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P §§1016.14 and 1016.15) or regulations prescribed under GLBA § 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503. A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

                 1. Disclosure of Nonpublic Personal Information
                    1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the credit union’s compliance with disclosure limitations.
                       1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (§§ 1016.13, 1016.14, 1016.15).
                       2. Compare the categories of information shared and with whom the information was shared to those stated in the privacy notice and verify that what the credit union tells consumers in its notices about its policies and practices in this regard and what the credit union actually does are consistent (§§ 1016.6, 1016.10).
                       3. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
                       1. Review the credit union’s initial and annual privacy notices. Determine whether or not they:
                          1. Are clear and conspicuous (§§ 1016.3(b), 1016.4(a), 1016.5(a)(1));
                          2. Accurately reflect the institution’s policies and practices (§§ 1016.4(a), 1016.5(a)(1)). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
                          3. Include, and adequately describe, all required items of information and contain examples as applicable (§§ 1016.6, 1016.13).
                          1. Timeliness of delivery (§ 1016.4(a)); and
                          2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9).
                          3. For members only, review the timeliness of delivery (§§ 1016.4(d), 1016.4(e), and 1016.5(a)), means of delivery of annual notice (§ 1016.9(c)), and accessibility of or ability to retain the notice (§ 1016.9(e)).
                          Checklist Cross References – Module 2

                          Regulation Section	Subject	Checklist Questions
                          1016.4(a), 1016.6(a, b, c, e), and 1016.9(a, b, i)	Privacy notices (presentation, content, and delivery)	2, 8-11, 14, 18, 35, 36, 41
                          1016.4(a, c, d, e), 1016.5, and 1016.9(c, e)	Customer notice delivery rules	1, 3-7, 37-39
                          1016.13	Exceptions to Opt-Out	12, 48
                          1016.14 and 1016.15	Exceptions	49-51

                          Module 3 - Sharing nonpublic personal information with nonaffiliated third parties only under §§ 1016.14 and/or 1016.15

                          NOTE: This module applies only to members.

                          Note: As of December 4, 2015, a credit union is not required to provide an annual privacy notice to its applicable customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA §§ 502(b)(2) (corresponding to Regulation P § 1016.13) or 502(e) (corresponding to Regulation P §§ 1016.14 and 1016.15) or regulations prescribed under GLBA § 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA § 503. A credit union that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

                          1. Disclosure of Nonpublic Personal Information
                             1. Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of information shared between the credit union and the third party.
                                1. Compare the information shared and with whom the information was shared to ensure that the credit union accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.
                                1. Obtain and review the credit union’s initial and annual notices, as well as any simplified notice that the credit union may use. Note that the credit union may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of §§ 1016.14 and 1016.15 exceptions. Determine whether or not these notices:
                                   1. Are clear and conspicuous (§§ 1016.3(b), 1016.4(a), 1016.5(a)(1));
                                   2. Accurately reflect the credit union’s policies and practices (§§ 1016.4(a), 1016.5(a)(1)). Note, this includes policies and practices disclosed in the notices that exceed regulatory requirements; and
                                   3. Include, and adequately describe, all required items of information (§ 1016.6).
                                   4. If the model privacy form is used, determine that it reflects the credit union’s policies and practices. For credit unions seeking a safe harbor for compliance with the content requirements of the regulation, verify that the notice has the proper content and is in the proper format as specified in the Appendix of the regulation.
                                   1. Timeliness of delivery (§§ 1016.4(a), 1016.4(d), 1016.4(e), 1016.5(a)); and
                                   2. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the member agrees; as a necessary step of a transaction; or pursuant to the alternative delivery method) (§ 1016.9) and accessibility of or ability to retain the notice (§ 1016.9(e)).
                                   Checklist Cross References – Module 3

                                   Regulation Section	Subject	Checklist Questions
                                   1016.4 (a, d, e), 1016.5, and 1016.9	Member notice delivery process	1, 3-7, 35-41
                                   1016.6	Member notice content and presentation	8-11, 14, 18
                                   1016.6 (c)(5)	Simplified notice content (optional)	13
                                   1016.14 and 1016.15	Exceptions	49-51

                                   Module 4 - Redisclosure and Reuse of nonpublic personal information received from a nonaffiliated financial institution under §§ 1016.14 and/or 1016.15

                                   1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure and reuse of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(a)).
                                   2. Select a sample of information received from nonaffiliated financial institutions, to evaluate the credit union’s compliance with redisclosure and reuse limitations.
                                      1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(a)(1)(i) and (ii)).
                                      2. Verify that the credit union only uses and shares the information pursuant to an exception in §§ 1016.14 and 1016.15 (§ 1016.11(a)(1)(iii)).
                                      Checklist Cross References – Module 4

                                      Regulation Section	Subject	Checklist Question
                                      1016.11(a)	Redisclosure and reuse	45
                                      1016.14, 1016.15	Exceptions	49-51

                                      Module 5 - Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of §§ 1016.14 and 1016.15

                                      1. Through discussions with management and review of the credit union’s policies, procedures, and internal controls, determine whether the credit union has adequate policies, procedures, and internal controls to prevent the unlawful redisclosure of the information where the credit union is the recipient of nonpublic personal information (§ 1016.11(b)).
                                      2. Select a sample of information received from nonaffiliated financial institutions and shared with others to evaluate the credit union’s compliance with redisclosure limitations.
                                         1. Verify that the credit union’s redisclosure of the information was only to affiliates of the credit union from which the information was obtained or to the credit union’s own affiliates, except as otherwise allowed in the step 2 below (§ 1016.11(b)(1)(i) and (ii)).
                                         2. If the credit union shares information with entities other than those under step 1 above, verify that the credit union’s information sharing practices conform to those in the nonaffiliated financial institution’s privacy notice (§ 1016.11(b)(1)(iii)).
                                         3. Also, review the procedures used by the credit union to ensure that the information sharing reflects the opt-out status of the consumers of the nonaffiliated financial institution (§§ 1016.10, 1016.11(b)(1)(iii)).
                                         Checklist Cross References – Module 5

                                         Regulation Section	Subject	Checklist Question
                                         1016.11(b)	Redisclosure	46

                                         Module 6 - Account number sharing

                                         1. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the credit union’s members (§ 1016.12(a)).
                                         2. Obtain and review a sample of contracts with agents or service providers to whom the credit union discloses account numbers for use in connection with marketing the credit union's own products or services. Determine whether the credit union shares account numbers with nonaffiliated third parties only to perform marketing for the credit union’s own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to the accounts (§ 1016.12(b)(1)).
                                         3. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the member when the member enters into the program (§ 1016.12(b)(2)).
                                         4. Checklist Cross References – Module 6
                                         Checklist Cross References – Module 6

                                         Regulation Section	Subject	Checklist Question
                                         1016.12	Account number sharing	47

                                         PRIVACY OF CONSUMER FINANCIAL INFORMATION
                                         (REGULATION P)
                                         CHECKLIST

                                         SUBPART A

                                         Initial Privacy Notice

                                         Initial Privacy Notice

                                         Item	Description	Yes	No	N/A
                                         1	Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section 4 of the regulation? (§ 1016.4(a)(1))

                                         Annual Privacy Notice

                                         Annual Privacy Notice

                                         Item	Description	Yes	No	N/A
                                         6	Does the credit union provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to customers, unless an exception to the annual privacy notice requirement applies? (§§ 1016.5(a)(1)-(2))

                                         Content of Privacy Notices

                                         Content of Privacy Notices

                                         Item	Description	Yes	No	N/A
                                         8	Do the initial, annual, and revised privacy notices include each of the following, as applicable:	N/A	N/A	N/A
                                         8(a)	The categories of nonpublic personal information that the credit union collects; (§ 1016.6(a)(1))
                                         8(b)	The categories of nonpublic personal information that the credit union discloses; (§ 1016.6(a)(2))
                                         8(c)	The categories of affiliates and nonaffiliated third parties to whom the credit union discloses nonpublic personal information, other than parties to whom information is disclosed under an exception in §§ 1016.14 or 1016.15; (§ 1016.6(a)(3))
                                         8(d)	The categories of nonpublic personal information disclosed about former customers, and the categories of affiliates and nonaffiliated third parties to whom the credit union discloses that information, other than those parties to whom the credit union discloses information under an exception in §§ 1016.14 or 1016.15; (§ 1016.6(a)(4))
                                         8(e)	If the credit union discloses nonpublic personal information to a nonaffiliated third party under § 1016.13, and no exception under §§ 1016.14 or 1016.15 applies, a separate statement of the categories of information the credit union discloses and the categories of third parties with whom the credit union has contracted; (§ 1016.6(a)(5))
                                         8(f)	An explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; (§ 1016.6(a)(6))
                                         8(g)	Any disclosures that the credit union makes under FCRA § 603(d)(2)(A)(iii); (§ 1016.6(a)(7))
                                         8(h)	The credit union’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; (§ 1016.6(a)(8)) and
                                         8(i)	A general statement that the credit union makes disclosures to other nonaffiliated third parties for everyday business purposes, such as (with the credit union including all purposes that are applicable) to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus, or as permitted by law? (§ 1016.6(a)(9), (b)(1) and (2))

                                         Opt-Out Notice

                                         Opt-Out Notice

                                         Item	Description	Yes	No	N/A
                                         19	If the credit union discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§ 1016.13, 1016.14, and 1016.15 do not apply, does the credit union provide the consumer with a clear and conspicuous opt-out notice that accurately explains the right to-opt out? (§ 1016.7(a)(1))
                                         20	Does the opt-out notice state:	N/A	N/A	N/A
                                         20(a)	The credit union discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party; (§ 1016.7(a)(1)(i))
                                         20(b)	The consumer has the right to opt-out of that disclosure; (§ 1016.7(a)(1)(ii)) and
                                         20(c)	A reasonable means by which the consumer may opt-out? (§ 1016.7(a)(1)(iii))
                                         21	Does the credit union provide the consumer with the following information about the right to opt-out:	N/A	N/A	N/A
                                         21(a)	All of the categories of nonpublic personal information that the credit union discloses or reserves the right to disclose; (§ 1016.7(a)(2)(i)(A))
                                         21(b)	All the categories of nonaffiliated third parties to whom the information is disclosed; (§ 1016.7(a)(2)(i)(A))
                                         21(c)	The consumer has the right to opt-out of the disclosure of that information; (§ 1016.7(a)(2)(i)(A)) and
                                         21(d)	The financial products or services that the consumer obtains to which the opt-out direction would apply? (§ 1016.7(a)(2)(i)(B))
                                         22	Does the credit union provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:	N/A	N/A	N/A
                                         22(a)	Check-off boxes prominently displayed on the relevant forms with the opt-out notice; (§ 1016.7(a)(2)(ii)(A))
                                         22(b)	A reply form included with the opt-out notice; (§ 1016.7(a)(2)(ii)(B))
                                         22(c)	An electronic means to opt-out, such as a form that can be sent via electronic mail or a process at the credit union’s web site, if the consumer agrees to the electronic delivery of information; (§ 1016.7(a)(2)(ii)(C)) or
                                         22(d)	A toll-free telephone number? (§ 1016.7(a)(2)(ii)(D))

                                         (Note: The credit union may require the consumer to use one specific means, as long as that means is reasonable for that consumer. (§ 1016.7(a)(2)(iv)))

                                         Opt-Out Notice continued

                                         Item	Description	Yes	No	N/A
                                         23	If the credit union delivers the opt-out notice after the initial notice, does the credit union provide the initial notice once again with the opt-out notice? (§ 1016.7(c))
                                         24	Does the credit union provide an opt-out notice, explaining how the credit union will treat opt-out directions by the joint consumers, to at least one party in a joint consumer relationship? (§ 1016.7(d)(2))
                                         25	Does the credit union permit each of the joint consumers in a joint relationship to opt-out? (§ 1016.7(d)(2))
                                         26	Does the opt-out notice to joint consumers state that either:	N/A	N/A	N/A
                                         26(a)	The credit union will consider an opt-out by a joint consumer as applying to all associated joint consumers; (§ 1016.7(d)(2)(i)) or
                                         26(b)	Each joint consumer is permitted to opt-out separately? (§ 1016.7(d)(2)(ii))
                                         27	If each joint consumer may opt-out separately, does the credit union permit:	N/A	N/A	N/A
                                         27(a)	One joint consumer to opt-out on behalf of all of the joint consumers; (§ 1016.7(d)(3))
                                         27(b)	The joint consumers to notify the credit union in a single response; (§ 1016.7(d)(5)(i)) and
                                         27(c)	Each joint consumer to opt-out either for himself or herself, and/or for another joint consumer? (§ 1016.7(d)(5)(ii))
                                         28	Does the credit union refrain from requiring all joint consumers to opt out before implementing any opt-out direction with respect to the joint account? (§ 1016.7(d)(4))
                                         29	Does the credit union comply with a consumer’s direction to opt-out as soon as is reasonably practicable after receiving it? (§ 1016.7(g))
                                         30	Does the credit union allow the consumer to opt-out at any time? (§ 1016.7(h))
                                         31	Does the credit union continue to honor the consumer’s opt-out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically? (§ 1016.7(i)(1))
                                         32	When a customer relationship ends, does the credit union continue to apply the customer’s opt-out direction to the nonpublic personal information collected during, or related to, that specific customer relationship (but not to new relationships, if any, subsequently established by that customer)? (§ 1016.7(i)(2))

                                         Revised Notices

                                         Revised Notices

                                         Item	Description	Yes	No	N/A
                                         33	Except as permitted by §§ 1016.13, 1016.14, and 1016.15, does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:	N/A	N/A	N/A
                                         33(a)	The credit union has provided the consumer with a clear and conspicuous revised notice that accurately describes the credit union's privacy policies and practices; (§ 1016.8(a)(1))
                                         33(b)	The credit union has provided the consumer with a new opt-out notice; (§ 1016.8(a)(2))
                                         33(c)	The credit union has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; (§ 1016.8(a)(3)) and
                                         33(d)	The consumer has not opted out? (§ 1016.8(a)(4))
                                         34	Does the credit union deliver a revised privacy notice when it:	N/A	N/A	N/A
                                         34(a)	Discloses a new category of nonpublic personal information to a nonaffiliated third party; (§ 1016.8(b)(1)(i))
                                         34(b)	Discloses nonpublic personal information to a new category of nonaffiliated third party; (§ 1016.8(b)(1)(ii)) or
                                         34(c)	Discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure? (§ 1016.8(b)(1)(iii))

                                         (Note: A revised notice is not required if the credit union adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. (§ 1016.8(b)(2)))

                                         Delivery Methods

                                         Delivery Methods

                                         Item	Description	Yes	No	N/A
                                         35	Does the credit union deliver the privacy and opt-out notices, including the short-form notice, so that the consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically? (§ 1016.9(a))
                                         36	Does the credit union use a reasonable means for delivering the notices, such as:	N/A	N/A	N/A
                                         36(a)	Hand-delivery of a printed copy; (§ 1016.9(b)(1)(i))
                                         36(b)	Mailing a printed copy to the last known address of the consumer; (§ 1016.9(b)(1)(ii))
                                         36(c)	For the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the credit union’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; (§ 1016.9(b)(1)(iii)) or
                                         36(d)	For isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the member to acknowledge receipt as a necessary step to obtaining the financial product or service? (§ 1016.9(b)(1)(iv))

                                         SUBPART B

                                         Limits on Disclosure to Nonaffiliated Third Parties

                                         Limits on Disclosure to Nonaffiliated Third Parties

                                         Item	Description	Yes	No	N/A
                                         43	Does the credit union refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§ 1016.13, 1016.14, and 1016.15, unless:	N/A	N/A	N/A
                                         43(a)	It has provided the consumer with an initial notice; (§ 1016.10(a)(1)(i))
                                         43(b)	It has provided the consumer with an opt-out notice; (§ 1016.10(a)(1)(ii))
                                         43(c)	It has given the consumer a reasonable opportunity to opt out before the disclosure; (§ 1016.10(a)(1)(iii)) and
                                         43(d)	The consumer has not opted out? (§ 1016.10(a)(1)(iv))

                                         Limits on Redisclosure and Reuse of Information

                                         Limits on Redisclosure and Reuse of Information

                                         Item	Description	Yes	No	N/A
                                         46	If the credit union receives information from a nonaffiliated financial institution under an exception in §§ 1016.14 or 1016.15, does the credit union refrain from using or disclosing the information except:	N/A	N/A	N/A
                                         46(a)	To disclose the information to the affiliates of the financial institution from which it received the information; (§1016.11(a)(1)(i))
                                         46(b)	To disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; (§ 1016.11(a)(1)(ii)) and
                                         46(c)	To disclose and use the information pursuant to an exception in §§ 1016.14 or 1016.15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? (§ 1016.11(a)(1)(iii))

                                         Limits on Sharing Account Number Information for Marketing Purposes

                                         Limits on Sharing Account Number Information for Marketing Purposes

                                         Item	Description	Yes	No	N/A
                                         48	Does the credit union refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:	N/A	N/A	N/A
                                         48(a)	To the credit union’s agents or service providers solely to market the credit union’s own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; (§ 1016.12(b)(1)) or
                                         48(b)	To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? (§ 1016.12(b)(2))

                                         SUBPART C

                                         Exception to Opt Out Requirements for Service Providers and Joint Marketing

                                         Exception to Opt Out Requirements for Service Providers and Joint Marketing

                                         Item	Description	Yes	No	N/A
                                         49	If the credit union discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt-out requirements of §§ 1016.7 and 1016.10, and the revised notice requirements in § 1016.8, not apply because:	N/A	N/A	N/A
                                         49(a)	The credit union disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the credit union (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in § 1016.13(b)); (§1016.13(a)(1))
                                         49(b)	The credit union has provided consumers with the initial notice; (§ 1016.13(a)(1)(i)) and
                                         49(c)	The credit union has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §§ 1016.14 or 1016.15 in the ordinary course of business to carry out those purposes? (§ 1016.13(a)(1)(ii))

                                         Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

                                         Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

                                         Item	Description	Yes	No	N/A
                                         50	If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2), opt out in §§ 1016.7 and 1016.10, revised notice in § 1016.8, and for service providers and joint marketing in § 1016.13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:	N/A	N/A	N/A
                                         50(a)	Servicing or processing a financial product or service requested or authorized by the consumer; (§ 1016.14(a)(1))
                                         50(b)	Maintaining or servicing the consumer's account with the credit union or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or (§ 1016.14(a)(2))
                                         50(c)	A proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? (§ 1016.14(a)(3))
                                         51	If the credit union uses a § 1016.14 exception as necessary to effect, administer, or enforce a transaction, is the disclosure:	N/A	N/A	N/A
                                         51(a)	Required, or is one of the lawful or appropriate methods, to enforce the rights of the credit union or other persons engaged in carrying out the transaction or providing the product or service; (§ 1016.14(b)(1)) or
                                         51(b)	Required, or is a usual, appropriate, or acceptable method, to: (§ 1016.14(b)(2))
                                         51(b)(i)	Carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; (§ 1016.14(b)(2)(i))
                                         51(b)(ii)	Administer or service benefits or claims; (§ 1016.14(b)(2)(ii))
                                         51(b)(iii)	Confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer’s agent or broker; (§ 1016.14(b)(2)(iii))
                                         51(b)(iv)	Accrue or recognize incentives or bonuses; (§ 1014.14(b)(2)(iv))
                                         51(b)(v)	Underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; (§ 1016.14(b)(2)(v)) or
                                         51(b)(vi)	In connection with:	N/A	N/A	N/A
                                         51(b)(vi)(1)	The authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; (§ 1016.14(b)(2)(vi)(A))
                                         51(b)(vi)(2)	The transfer of receivables, accounts or interests therein; (§ 1016.14(b)(2)(vi)(B)) or
                                         51(b)(vi)(3)	The audit of debit, credit, or other payment information? (§ 1016.14(b)(2)(vi)(C))

                                         Other Exceptions to Notice and Opt Out Requirements

                                         Other Exceptions to Notice and Opt Out Requirements

                                         Item	Description	Yes	No	N/A
                                         52	If the credit union discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in § 1016.4(a)(2), opt out in §§ 1016.7 and 1016.10, revised notice in § 1016.8, and for service providers and joint marketers in § 1016.13, not apply because the credit union makes the disclosure:	N/A	N/A	N/A
                                         52(a)	With the consent or at the direction of the consumer; (§ 1016.15(a)(1))
                                         52(b)	To protect the confidentiality or security of records, (§ 1016.15(a)(2)(i)); to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability, (§ 1016.15(a)(2)(ii)); for required credit union risk control or for resolving consumer disputes or inquiries, (§ 1016.15(a)(2)(iii)); to persons holding a legal or beneficial interest relating to the consumer, (§ 1016.15(a)(2)(iv)); or to persons acting in a fiduciary or representative capacity on behalf of the consumer; (§ 1016.15(a)(2)(v))
                                         52(c)	To insurance rate advisory organizations, guaranty funds or agencies, agencies rating the credit union, persons assessing compliance, and the credit union's attorneys, accountants, and auditors; (§ 1016.15(a)(3))
                                         52(d)	As specifically permitted or required by other provisions of law and in compliance with the Right to Financial Privacy Act, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety; (§ 1016.15(a)(4))
                                         52(e)	To a consumer reporting agency in accordance with the FCRA or from a consumer report reported by a consumer reporting agency; (§ 1016.15(a)(5))
                                         52(f)	In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; (§ 1016.15(a)(6))
                                         52(g)	To comply with Federal, state, or local laws, rules, or legal requirements; (§ 1016.15(a)(7)(i))
                                         52(h)	To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; (§ 1016.15(a)(7)(ii)) or
                                         52(i)	To respond to judicial process or government regulatory authorities having jurisdiction over the credit union for examination, compliance, or other purposes as authorized by law? (§ 1016.15(a)(7)(iii))

                                         Footnotes

                                         [1] 15 U.S.C. §§6801-6809. Full text of GLBA, including sections not related to consumer financial privacy, is here.

                                         [2] Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010).

                                         [3] Dodd-Frank Act §§1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. §§5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority.

                                         [4] 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. §5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

                                         [7] Fixing America’s Surface Transportation Act of 2015, Pub. L. No. 114-94 (2015), 129 Stat. 1312 (2015).

                                         [8] These reflect FFIEC-approved examination procedures.