New privacy obligations will make demands of credit unions

The privacy protections in the Gramm-Leach-Bliley Act of 1999 will have a significant impact on how credit unions provide diverse products and services to their members. Under Title V of the Act, credit unions, along with all other financial institutions, are required to implement new privacy controls to protect their members' nonpublic personal information. The National Credit Union Administration, along with all of the other federal financial institution regulators, is reviewing public comment submitted on proposed regulations that would implement the Act's privacy requirements. NCUA's regulations, which are expected to be finalized in early May, are written for federally insured credit unions. About 400 non-federally insured credit unions will be subject to the Federal Trade Commission's regulations. CUSOs that offer brokerage services will be subject to both the FTC rules and the Securities and Exchange Commission's version. The proposed effective date for the new regulations is November 13, 2000 but we will not know for certain until the final regulations are released in May. What the Act says You can find the entire proposed regulation at www.ncua.gov under "Just Posted," February 24 ("Proposed Rule - 12 CFR Parts 716 and 741"). To briefly summarize, here is what credit unions will be required to do: All credit unions will be required to provide an annual privacy notice to individuals using their products and services, even if a credit union does not share any information with a third party for marketing purposes. The credit union is required to make specific disclosures about its sharing of "nonpublic personal information," which it obtains from members, and in some cases, nonmembers. The regulation does not prohibit a credit union from sharing information with nonaffiliated third parties. It simply requires the credit union to explain to its members before hand what information it collects, discloses and who receives it, and include a reasonable opportunity for members to "opt-out." When sharing information with another financial institution under a joint marketing agreement, the opt-out is not required as long as the credit union describes the relationship in its privacy notice and includes confidentiality protections in the agreement. Certain information cannot be shared with nonaffiliated third parties, namely account number or similar access number for a credit card account, share account or transaction account for use in telemarketing, direct mail or other electronic marketing efforts. The anticipated regulation will spell out the who, when, how and what of privacy disclosure notices, the opt-out notice, and exceptions that apply for sharing information with data processors, governmental agencies and other non-marketing organizations. What should you do now? Privacy controls and information sharing practices are important to a credit union's business. Consider the following: * Analyze your operations, strategies and procedures, and consider where your privacy policy fits in. How are you currently disclosing your privacy policy? Do you have one? Ask yourself, "Who do we share information with? How do we want to protect member privacy? How will we administer our privacy notices?" * Identify all points of contact a member may have with your services, particularly your member enrollment processes; this may be where you present your initial privacy notice. * Use the proposed regulations as an indicator of what will be required. Much of the proposed regulations were taken directly from the Act and provide a good preview of what we can expect. Become familiar with the notice and opt-out requirements and understand how the exceptions apply to your business and your members' expectations on information sharing. * Involve your board early. Your strategy process should account for the time your board will need to review the privacy policy and ensure that it complements your business strategy. * Develop an operational plan. Decide how you'll carry out your privacy policy in your day-to-day activities. Consider a communication plan to your members and include time to train front line staff. Set key deadlines with an eye toward being in compliance by November 13. Reform of the financial services industry will shape our market for years to come, but it would be incomplete without regulations that protect members' privacy. In order to take advantage of these reforms, credit unions must maintain relationships with third parties to offer a wider range of member service products. These relationships will require sharing member information. This article is not intended to offer legal advice. If you have specific questions, contact your credit union attorney or state credit union league.