Right now, your credit union is probably scrambling to enact policies and procedures to comply with the new Customer Identification Procedures (CIP). In addition, you are beginning to change your data collection processes to comply with the Home Mortgage Disclosure Act (HMDA) amendments effective January 1, 2004. The last thing you want to think about is a burdensome regulatory requirement that you just "finished" complying with – privacy. You analyzed your privacy practices, developed policies, procedures, and disclosures, and trained staff on NCUA's Privacy Regulation (NCUA Rules and Regulations Part 716.) The problem is that a credit union is never "finished" with privacy compliance. Why is a credit union never finished with privacy compliance? Well, you always will share member information, in one form or another, with third parties. Furthermore, you will always have to disclose to members how, why, and when this information is shared. Let's take a look at what your credit union has to do to continually stay on top of privacy compliance. First Step Always start at the beginning. Go back and read your privacy policy and initial disclosure. Get a good handle on your current privacy practices. Determine what you share and with whom. If you start elsewhere, you create more work than necessary. Dig out your list of all third party relationships. What information credit union employees actually disclose in their daily contact with others is where the rubber meets the road. You want to refer to the list that contains the name of all third parties, the type of information shared, and a description of the relationship with the credit union. Now you take that list, and distribute it to all functional departments (real estate loans, consumer loans, marketing, operations, etc.) and have each department update the list based on current relationships. It will be very difficult for one individual to update the third party list, because there is probably not one individual who has a handle on all third party relationships. Also, be sure to update the list not just in terms of new third parties, but also new relationships and new information shared with existing third parties. Compare How do your current information sharing practices stack up with your existing privacy policy and disclosure? For example, look closely at the type of information your privacy notice says you are going to disclose to third parties. Do you now disclose a whole new category of nonpublic personal information to a nonaffiliated third party? Closely scrutinize your current information sharing practices and compare with your privacy policy and notice. Privacy Notice Update Do you need to update your privacy policy and disclosure because you share nonpublic personal information differently than how you disclosed initially? NCUA Rules and Regulations Part 716.8 states that you must not "disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to that consumer under 716.4, unless: *You have provided to the consumer a revised notice that accurately describes your policies and practices; *You have provided to the consumer a new opt out notice; *You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and The consumer does not opt out. Does this apply to you? You will not know unless you complete each of the steps above. Your best course of action is to develop a system whereby every time a new third party relationship is contemplated or the nature of the relationship will be changing, you verify that this new information sharing practice complies with your existing privacy notice and policy. It is an ongoing and continual process. Failing to do so could result in sharing information with third parties differently than you disclose to members. A bad deal for members and a good deal for plaintiff attorneys. Now back to developin and implementing a CIP program in four months time.